From ddcf6256a9df19db2d0c5c2cc79ed3e432a83443 Mon Sep 17 00:00:00 2001 From: Jason Feng Date: Mon, 18 Sep 2023 14:55:40 -0400 Subject: [PATCH 01/15] CRIU adds OPENJ9_ENABLE_OPENJDK_CRAC_SUPPORT Added --enable-openjdk-crac-support, xa64 is enabled by default, other platforms are disabled by default; If OPENJ9_ENABLE_OPENJDK_CRAC_SUPPORT is on, opt_openjdkCracSupport and OPENJDK_CRAC_SUPPORT are enabled. Signed-off-by: Jason Feng fengj@ca.ibm.com --- closed/JPP.gmk | 4 ++++ closed/OpenJ9.gmk | 13 +++++++++++++ closed/autoconf/custom-hook.m4 | 28 ++++++++++++++++++++++++++++ closed/autoconf/custom-spec.gmk.in | 11 ++++++----- 4 files changed, 51 insertions(+), 5 deletions(-) diff --git a/closed/JPP.gmk b/closed/JPP.gmk index a9474f2916f..c207cff84a6 100644 --- a/closed/JPP.gmk +++ b/closed/JPP.gmk @@ -26,6 +26,10 @@ ifeq (true,$(OPENJ9_ENABLE_CRIU_SUPPORT)) JPP_TAGS += CRIU_SUPPORT endif # OPENJ9_ENABLE_CRIU_SUPPORT +ifeq (true,$(OPENJ9_ENABLE_OPENJDK_CRAC_SUPPORT)) + JPP_TAGS += OPENJDK_CRAC_SUPPORT +endif # OPENJ9_ENABLE_OPENJDK_CRAC_SUPPORT + ifeq (true,$(OPENJ9_ENABLE_INLINE_TYPES)) JPP_TAGS += INLINE-TYPES endif # OPENJ9_ENABLE_INLINE_TYPES diff --git a/closed/OpenJ9.gmk b/closed/OpenJ9.gmk index 83d937eb37b..212276d5a9e 100644 --- a/closed/OpenJ9.gmk +++ b/closed/OpenJ9.gmk @@ -292,6 +292,13 @@ else # OPENJ9_ENABLE_CRIU_SUPPORT FEATURE_SED_SCRIPT += $(call SedDisable,opt_criuSupport) endif # OPENJ9_ENABLE_CRIU_SUPPORT +# Adjust OpenJDK CRAC Support enablement flags. +ifeq (true,$(OPENJ9_ENABLE_OPENJDK_CRAC_SUPPORT)) + FEATURE_SED_SCRIPT += $(call SedEnable,opt_openjdkCracSupport) +else # OPENJ9_ENABLE_OPENJDK_CRAC_SUPPORT + FEATURE_SED_SCRIPT += $(call SedDisable,opt_openjdkCracSupport) +endif # OPENJ9_ENABLE_OPENJDK_CRAC_SUPPORT + # Adjust OpenJDK MethodHandles enablement flags. FEATURE_SED_SCRIPT += $(call SedDisable,opt_methodHandle) FEATURE_SED_SCRIPT += $(call SedEnable,opt_openjdkMethodhandle) @@ -453,6 +460,12 @@ ifeq (true,$(OPENJ9_ENABLE_CMAKE)) CMAKE_ARGS += -DJ9VM_OPT_CRIU_SUPPORT=OFF endif # OPENJ9_ENABLE_CRIU_SUPPORT + ifeq (true,$(OPENJ9_ENABLE_OPENJDK_CRAC_SUPPORT)) + CMAKE_ARGS += -DJ9VM_OPT_OPENJDK_CRAC_SUPPORT=ON + else # OPENJ9_ENABLE_OPENJDK_CRAC_SUPPORT + CMAKE_ARGS += -DJ9VM_OPT_OPENJDK_CRAC_SUPPORT=OFF + endif # OPENJ9_ENABLE_OPENJDK_CRAC_SUPPORT + CMAKE_ARGS += -DJ9VM_OPT_METHOD_HANDLE=OFF CMAKE_ARGS += -DJ9VM_OPT_OPENJDK_METHODHANDLE=ON diff --git a/closed/autoconf/custom-hook.m4 b/closed/autoconf/custom-hook.m4 index 8f7d901578a..04b8105d05b 100644 --- a/closed/autoconf/custom-hook.m4 +++ b/closed/autoconf/custom-hook.m4 @@ -41,6 +41,7 @@ AC_DEFUN_ONCE([CUSTOM_EARLY_HOOK], OPENJ9_CONFIGURE_CMAKE OPENJ9_CONFIGURE_COMPILERS OPENJ9_CONFIGURE_CRIU_SUPPORT + OPENJ9_CONFIGURE_OPENJDK_CRAC_SUPPORT OPENJ9_CONFIGURE_CUDA OPENJ9_CONFIGURE_DDR OPENJ9_CONFIGURE_DEMOS @@ -367,6 +368,33 @@ AC_DEFUN([OPENJ9_CONFIGURE_CRIU_SUPPORT], AC_SUBST(OPENJ9_ENABLE_CRIU_SUPPORT) ]) +AC_DEFUN([OPENJ9_CONFIGURE_OPENJDK_CRAC_SUPPORT], +[ + AC_MSG_CHECKING([for OpenJDK CRAC support]) + AC_ARG_ENABLE([openjdk-crac-support], [AS_HELP_STRING([--enable-openjdk-crac-support], [enable OpenJDK CRAC support @<:@disabled@:>@])]) + OPENJ9_ENABLE_OPENJDK_CRAC_SUPPORT=false + + if test "x$enable_openjdk_crac_support" = xyes ; then + AC_MSG_RESULT([yes (explicitly enabled)]) + OPENJ9_ENABLE_OPENJDK_CRAC_SUPPORT=true + elif test "x$enable_openjdk_crac_support" = xno ; then + AC_MSG_RESULT([no (explicitly disabled)]) + elif test "x$enable_openjdk_crac_support" = x ; then + case "$OPENJ9_PLATFORM_CODE" in + xa64) + AC_MSG_RESULT([yes (default)]) + OPENJ9_ENABLE_OPENJDK_CRAC_SUPPORT=true + ;; + *) + AC_MSG_RESULT([no (default)]) + ;; + esac + else + AC_MSG_ERROR([--enable-openjdk-crac-support accepts no argument]) + fi + AC_SUBST(OPENJ9_ENABLE_OPENJDK_CRAC_SUPPORT) +]) + AC_DEFUN([OPENJ9_CONFIGURE_INLINE_TYPES], [ AC_MSG_CHECKING([for inline types]) diff --git a/closed/autoconf/custom-spec.gmk.in b/closed/autoconf/custom-spec.gmk.in index 019d1cb560c..6c98bad2bf1 100644 --- a/closed/autoconf/custom-spec.gmk.in +++ b/closed/autoconf/custom-spec.gmk.in @@ -68,11 +68,12 @@ export GDK_HOME := @OPENJ9_GDK_HOME@ endif # feature enablement flags -OPENJ9_ENABLE_CRIU_SUPPORT := @OPENJ9_ENABLE_CRIU_SUPPORT@ -OPENJ9_ENABLE_DDR := @OPENJ9_ENABLE_DDR@ -OPENJ9_ENABLE_DEMOS := @OPENJ9_ENABLE_DEMOS@ -OPENJ9_ENABLE_INLINE_TYPES := @OPENJ9_ENABLE_INLINE_TYPES@ -OPENJ9_ENABLE_JITSERVER := @OPENJ9_ENABLE_JITSERVER@ +OPENJ9_ENABLE_CRIU_SUPPORT := @OPENJ9_ENABLE_CRIU_SUPPORT@ +OPENJ9_ENABLE_OPENJDK_CRAC_SUPPORT := @OPENJ9_ENABLE_OPENJDK_CRAC_SUPPORT@ +OPENJ9_ENABLE_DDR := @OPENJ9_ENABLE_DDR@ +OPENJ9_ENABLE_DEMOS := @OPENJ9_ENABLE_DEMOS@ +OPENJ9_ENABLE_INLINE_TYPES := @OPENJ9_ENABLE_INLINE_TYPES@ +OPENJ9_ENABLE_JITSERVER := @OPENJ9_ENABLE_JITSERVER@ # for constructing version output COMPILER_VERSION_STRING := @COMPILER_VERSION_STRING@ From bfaed992ee0faf167b424eb26e2a0a499fe12cf5 Mon Sep 17 00:00:00 2001 From: Jason Feng Date: Wed, 20 Sep 2023 16:52:35 -0400 Subject: [PATCH 02/15] Rename OPENJDK_CRAC_SUPPORT to CRAC_SUPPORT Signed-off-by: Jason Feng --- closed/JPP.gmk | 8 ++--- closed/OpenJ9.gmk | 26 ++++++++-------- closed/autoconf/custom-hook.m4 | 50 +++++++++++++++--------------- closed/autoconf/custom-spec.gmk.in | 12 +++---- 4 files changed, 48 insertions(+), 48 deletions(-) diff --git a/closed/JPP.gmk b/closed/JPP.gmk index c207cff84a6..18012f82bd8 100644 --- a/closed/JPP.gmk +++ b/closed/JPP.gmk @@ -22,14 +22,14 @@ J9TOOLS_DIR := $(SUPPORT_OUTPUTDIR)/j9tools JPP_JAR := $(J9TOOLS_DIR)/jpp.jar JPP_TAGS := PLATFORM-$(OPENJ9_PLATFORM_CODE) +ifeq (true,$(OPENJ9_ENABLE_CRAC_SUPPORT)) + JPP_TAGS += CRAC_SUPPORT +endif # OPENJ9_ENABLE_CRAC_SUPPORT + ifeq (true,$(OPENJ9_ENABLE_CRIU_SUPPORT)) JPP_TAGS += CRIU_SUPPORT endif # OPENJ9_ENABLE_CRIU_SUPPORT -ifeq (true,$(OPENJ9_ENABLE_OPENJDK_CRAC_SUPPORT)) - JPP_TAGS += OPENJDK_CRAC_SUPPORT -endif # OPENJ9_ENABLE_OPENJDK_CRAC_SUPPORT - ifeq (true,$(OPENJ9_ENABLE_INLINE_TYPES)) JPP_TAGS += INLINE-TYPES endif # OPENJ9_ENABLE_INLINE_TYPES diff --git a/closed/OpenJ9.gmk b/closed/OpenJ9.gmk index 212276d5a9e..df8bceb7b22 100644 --- a/closed/OpenJ9.gmk +++ b/closed/OpenJ9.gmk @@ -285,6 +285,13 @@ else SPEC_SED_SCRIPT += $(call SedDisable,opt_valhallaValueTypes) endif +# Adjust CRAC Support enablement flags. +ifeq (true,$(OPENJ9_ENABLE_CRAC_SUPPORT)) + FEATURE_SED_SCRIPT += $(call SedEnable,opt_cracSupport) +else # OPENJ9_ENABLE_CRAC_SUPPORT + FEATURE_SED_SCRIPT += $(call SedDisable,opt_cracSupport) +endif # OPENJ9_ENABLE_CRAC_SUPPORT + # Adjust CRIU Support enablement flags. ifeq (true,$(OPENJ9_ENABLE_CRIU_SUPPORT)) FEATURE_SED_SCRIPT += $(call SedEnable,opt_criuSupport) @@ -292,13 +299,6 @@ else # OPENJ9_ENABLE_CRIU_SUPPORT FEATURE_SED_SCRIPT += $(call SedDisable,opt_criuSupport) endif # OPENJ9_ENABLE_CRIU_SUPPORT -# Adjust OpenJDK CRAC Support enablement flags. -ifeq (true,$(OPENJ9_ENABLE_OPENJDK_CRAC_SUPPORT)) - FEATURE_SED_SCRIPT += $(call SedEnable,opt_openjdkCracSupport) -else # OPENJ9_ENABLE_OPENJDK_CRAC_SUPPORT - FEATURE_SED_SCRIPT += $(call SedDisable,opt_openjdkCracSupport) -endif # OPENJ9_ENABLE_OPENJDK_CRAC_SUPPORT - # Adjust OpenJDK MethodHandles enablement flags. FEATURE_SED_SCRIPT += $(call SedDisable,opt_methodHandle) FEATURE_SED_SCRIPT += $(call SedEnable,opt_openjdkMethodhandle) @@ -454,18 +454,18 @@ ifeq (true,$(OPENJ9_ENABLE_CMAKE)) CMAKE_ARGS += -DJ9VM_OPT_VALHALLA_VALUE_TYPES=OFF endif # OPENJ9_ENABLE_INLINE_TYPES + ifeq (true,$(OPENJ9_ENABLE_CRAC_SUPPORT)) + CMAKE_ARGS += -DJ9VM_OPT_CRAC_SUPPORT=ON + else # OPENJ9_ENABLE_CRAC_SUPPORT + CMAKE_ARGS += -DJ9VM_OPT_CRAC_SUPPORT=OFF + endif # OPENJ9_ENABLE_CRAC_SUPPORT + ifeq (true,$(OPENJ9_ENABLE_CRIU_SUPPORT)) CMAKE_ARGS += -DJ9VM_OPT_CRIU_SUPPORT=ON else # OPENJ9_ENABLE_CRIU_SUPPORT CMAKE_ARGS += -DJ9VM_OPT_CRIU_SUPPORT=OFF endif # OPENJ9_ENABLE_CRIU_SUPPORT - ifeq (true,$(OPENJ9_ENABLE_OPENJDK_CRAC_SUPPORT)) - CMAKE_ARGS += -DJ9VM_OPT_OPENJDK_CRAC_SUPPORT=ON - else # OPENJ9_ENABLE_OPENJDK_CRAC_SUPPORT - CMAKE_ARGS += -DJ9VM_OPT_OPENJDK_CRAC_SUPPORT=OFF - endif # OPENJ9_ENABLE_OPENJDK_CRAC_SUPPORT - CMAKE_ARGS += -DJ9VM_OPT_METHOD_HANDLE=OFF CMAKE_ARGS += -DJ9VM_OPT_OPENJDK_METHODHANDLE=ON diff --git a/closed/autoconf/custom-hook.m4 b/closed/autoconf/custom-hook.m4 index 04b8105d05b..da658cf95b0 100644 --- a/closed/autoconf/custom-hook.m4 +++ b/closed/autoconf/custom-hook.m4 @@ -40,8 +40,8 @@ AC_DEFUN_ONCE([CUSTOM_EARLY_HOOK], OPENJ9_PLATFORM_SETUP OPENJ9_CONFIGURE_CMAKE OPENJ9_CONFIGURE_COMPILERS + OPENJ9_CONFIGURE_CRAC_SUPPORT OPENJ9_CONFIGURE_CRIU_SUPPORT - OPENJ9_CONFIGURE_OPENJDK_CRAC_SUPPORT OPENJ9_CONFIGURE_CUDA OPENJ9_CONFIGURE_DDR OPENJ9_CONFIGURE_DEMOS @@ -341,58 +341,58 @@ AC_DEFUN([OPENJ9_PLATFORM_EXTRACT_VARS_FROM_CPU], esac ]) -AC_DEFUN([OPENJ9_CONFIGURE_CRIU_SUPPORT], +AC_DEFUN([OPENJ9_CONFIGURE_CRAC_SUPPORT], [ - AC_MSG_CHECKING([for CRIU support]) - AC_ARG_ENABLE([criu-support], [AS_HELP_STRING([--enable-criu-support], [enable CRIU support @<:@disabled@:>@])]) - OPENJ9_ENABLE_CRIU_SUPPORT=false + AC_MSG_CHECKING([for CRAC support]) + AC_ARG_ENABLE([crac-support], [AS_HELP_STRING([--enable-crac-support], [enable CRAC support @<:@platform dependent@:>@])]) + OPENJ9_ENABLE_CRAC_SUPPORT=false - if test "x$enable_criu_support" = xyes ; then + if test "x$enable_crac_support" = xyes ; then AC_MSG_RESULT([yes (explicitly enabled)]) - OPENJ9_ENABLE_CRIU_SUPPORT=true - elif test "x$enable_criu_support" = xno ; then + OPENJ9_ENABLE_CRAC_SUPPORT=true + elif test "x$enable_crac_support" = xno ; then AC_MSG_RESULT([no (explicitly disabled)]) - elif test "x$enable_criu_support" = x ; then + elif test "x$enable_crac_support" = x ; then case "$OPENJ9_PLATFORM_CODE" in - xa64|xl64|xr64|xz64) + xa64) AC_MSG_RESULT([yes (default)]) - OPENJ9_ENABLE_CRIU_SUPPORT=true + OPENJ9_ENABLE_CRAC_SUPPORT=true ;; *) AC_MSG_RESULT([no (default)]) ;; esac else - AC_MSG_ERROR([--enable-criu-support accepts no argument]) + AC_MSG_ERROR([--enable-crac-support accepts no argument]) fi - AC_SUBST(OPENJ9_ENABLE_CRIU_SUPPORT) + AC_SUBST(OPENJ9_ENABLE_CRAC_SUPPORT) ]) -AC_DEFUN([OPENJ9_CONFIGURE_OPENJDK_CRAC_SUPPORT], +AC_DEFUN([OPENJ9_CONFIGURE_CRIU_SUPPORT], [ - AC_MSG_CHECKING([for OpenJDK CRAC support]) - AC_ARG_ENABLE([openjdk-crac-support], [AS_HELP_STRING([--enable-openjdk-crac-support], [enable OpenJDK CRAC support @<:@disabled@:>@])]) - OPENJ9_ENABLE_OPENJDK_CRAC_SUPPORT=false + AC_MSG_CHECKING([for CRIU support]) + AC_ARG_ENABLE([criu-support], [AS_HELP_STRING([--enable-criu-support], [enable CRIU support @<:@platform dependent@:>@])]) + OPENJ9_ENABLE_CRIU_SUPPORT=false - if test "x$enable_openjdk_crac_support" = xyes ; then + if test "x$enable_criu_support" = xyes ; then AC_MSG_RESULT([yes (explicitly enabled)]) - OPENJ9_ENABLE_OPENJDK_CRAC_SUPPORT=true - elif test "x$enable_openjdk_crac_support" = xno ; then + OPENJ9_ENABLE_CRIU_SUPPORT=true + elif test "x$enable_criu_support" = xno ; then AC_MSG_RESULT([no (explicitly disabled)]) - elif test "x$enable_openjdk_crac_support" = x ; then + elif test "x$enable_criu_support" = x ; then case "$OPENJ9_PLATFORM_CODE" in - xa64) + xa64|xl64|xr64|xz64) AC_MSG_RESULT([yes (default)]) - OPENJ9_ENABLE_OPENJDK_CRAC_SUPPORT=true + OPENJ9_ENABLE_CRIU_SUPPORT=true ;; *) AC_MSG_RESULT([no (default)]) ;; esac else - AC_MSG_ERROR([--enable-openjdk-crac-support accepts no argument]) + AC_MSG_ERROR([--enable-criu-support accepts no argument]) fi - AC_SUBST(OPENJ9_ENABLE_OPENJDK_CRAC_SUPPORT) + AC_SUBST(OPENJ9_ENABLE_CRIU_SUPPORT) ]) AC_DEFUN([OPENJ9_CONFIGURE_INLINE_TYPES], diff --git a/closed/autoconf/custom-spec.gmk.in b/closed/autoconf/custom-spec.gmk.in index 6c98bad2bf1..9b8063fd454 100644 --- a/closed/autoconf/custom-spec.gmk.in +++ b/closed/autoconf/custom-spec.gmk.in @@ -68,12 +68,12 @@ export GDK_HOME := @OPENJ9_GDK_HOME@ endif # feature enablement flags -OPENJ9_ENABLE_CRIU_SUPPORT := @OPENJ9_ENABLE_CRIU_SUPPORT@ -OPENJ9_ENABLE_OPENJDK_CRAC_SUPPORT := @OPENJ9_ENABLE_OPENJDK_CRAC_SUPPORT@ -OPENJ9_ENABLE_DDR := @OPENJ9_ENABLE_DDR@ -OPENJ9_ENABLE_DEMOS := @OPENJ9_ENABLE_DEMOS@ -OPENJ9_ENABLE_INLINE_TYPES := @OPENJ9_ENABLE_INLINE_TYPES@ -OPENJ9_ENABLE_JITSERVER := @OPENJ9_ENABLE_JITSERVER@ +OPENJ9_ENABLE_CRAC_SUPPORT := @OPENJ9_ENABLE_CRAC_SUPPORT@ +OPENJ9_ENABLE_CRIU_SUPPORT := @OPENJ9_ENABLE_CRIU_SUPPORT@ +OPENJ9_ENABLE_DDR := @OPENJ9_ENABLE_DDR@ +OPENJ9_ENABLE_DEMOS := @OPENJ9_ENABLE_DEMOS@ +OPENJ9_ENABLE_INLINE_TYPES := @OPENJ9_ENABLE_INLINE_TYPES@ +OPENJ9_ENABLE_JITSERVER := @OPENJ9_ENABLE_JITSERVER@ # for constructing version output COMPILER_VERSION_STRING := @COMPILER_VERSION_STRING@ From 8f89327e38f1534d5e04692dca618d2f59389c20 Mon Sep 17 00:00:00 2001 From: Peter Shipton Date: Thu, 21 Sep 2023 09:02:45 -0400 Subject: [PATCH 03/15] Look for -XX:[+/-]UseZlibNX on AIX AIX puts zlibNX on the LIBPATH when running on P9 or later, but having this in the environment may cause some things, such as git clone, to fail when exec'ed from Java. For example, `fatal: pack has bad object at offset 3872100: inflate returned -5` Backport of https://github.com/ibmruntimes/openj9-openjdk-jdk/pull/664 Signed-off-by: Peter Shipton --- src/java.base/unix/native/libjli/java_md.c | 33 ++++++++++++++++++---- 1 file changed, 28 insertions(+), 5 deletions(-) diff --git a/src/java.base/unix/native/libjli/java_md.c b/src/java.base/unix/native/libjli/java_md.c index e4f63284fd4..9c30d4f2c3c 100644 --- a/src/java.base/unix/native/libjli/java_md.c +++ b/src/java.base/unix/native/libjli/java_md.c @@ -25,7 +25,7 @@ /* * =========================================================================== - * (c) Copyright IBM Corp. 2020, 2021 All Rights Reserved + * (c) Copyright IBM Corp. 2020, 2023 All Rights Reserved * =========================================================================== */ @@ -376,12 +376,35 @@ CreateExecutionEnvironment(int *pargc, char ***pargv, * o $JVMPATH (directory portion only) * o $JRE/lib * o $JRE/../lib - * o ZLIBNX_PATH (for AIX P9 or newer systems with NX) + * o ZLIBNX_PATH (for AIX P9 or newer systems with NX, unless -XX:-UseZlibNX is set) * * followed by the user's previous effective LD_LIBRARY_PATH, if * any. */ +#ifdef AIX + int aixargc = *pargc - 1; // skip the launcher name + char **aixargv = *pargv + 1; + const char *aixarg = NULL; + jboolean useZlibNX = JNI_TRUE; + while (aixargc > 0 && *(aixarg = *aixargv) == '-') { + if (JLI_StrCmp(aixarg, "-XX:+UseZlibNX") == 0) { + useZlibNX = JNI_TRUE; + } else if (JLI_StrCmp(aixarg, "-XX:-UseZlibNX") == 0) { + useZlibNX = JNI_FALSE; + } + aixargc--; + aixargv++; + } + useZlibNX = useZlibNX && power_9_andup() && power_nx_gzip(); + if (JLI_IsTraceLauncher()) { + printf("Add " ZLIBNX_PATH " to the LIBPATH: %s P9+ %s NX %s\n", + useZlibNX ? "TRUE" : "FALSE", + power_9_andup() ? "TRUE" : "FALSE", + power_nx_gzip() ? "TRUE" : "FALSE"); + } +#endif + runpath = getenv(LD_LIBRARY_PATH); /* runpath contains current effective LD_LIBRARY_PATH setting */ @@ -390,8 +413,8 @@ CreateExecutionEnvironment(int *pargc, char ***pargv, new_runpath_size = ((runpath != NULL) ? JLI_StrLen(runpath) : 0) + 2 * JLI_StrLen(jrepath) + #ifdef AIX - /* On AIX P9 or newer with NX accelerator enabled, add the accelerated zlibNX to LIBPATH */ - ((power_9_andup() && power_nx_gzip()) ? JLI_StrLen(":" ZLIBNX_PATH) : 0) + + /* On AIX P9 or newer with NX accelerator enabled, add the accelerated zlibNX to LIBPATH. */ + (useZlibNX ? JLI_StrLen(":" ZLIBNX_PATH) : 0) + #endif JLI_StrLen(new_jvmpath) + 52; new_runpath = JLI_MemAlloc(new_runpath_size); @@ -419,7 +442,7 @@ CreateExecutionEnvironment(int *pargc, char ***pargv, jrepath, jrepath #ifdef AIX - , ((power_9_andup() && power_nx_gzip()) ? (":" ZLIBNX_PATH) : "") + , (useZlibNX ? (":" ZLIBNX_PATH) : "") #endif ); From 462c8c68953e5a32eb8c96ead26aa7724db3fc10 Mon Sep 17 00:00:00 2001 From: tajila Date: Wed, 20 Sep 2023 15:08:58 -0400 Subject: [PATCH 04/15] Register natives in ConstantPool init Depends on https://github.com/eclipse-openj9/openj9/pull/18169 Signed-off-by: tajila --- .../share/classes/jdk/internal/reflect/ConstantPool.java | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/java.base/share/classes/jdk/internal/reflect/ConstantPool.java b/src/java.base/share/classes/jdk/internal/reflect/ConstantPool.java index a43034126e4..7e4339d2eea 100644 --- a/src/java.base/share/classes/jdk/internal/reflect/ConstantPool.java +++ b/src/java.base/share/classes/jdk/internal/reflect/ConstantPool.java @@ -22,6 +22,11 @@ * or visit www.oracle.com if you need additional information or have any * questions. */ +/* + * =========================================================================== + * (c) Copyright IBM Corp. 2023, 2023 All Rights Reserved + * =========================================================================== + */ package jdk.internal.reflect; @@ -104,7 +109,10 @@ private static Tag valueOf(byte v) { // Internals only below this point // + private static native void registerNatives(); + static { + registerNatives(); Reflection.registerFieldsToFilter(ConstantPool.class, Set.of("constantPoolOop")); } From e5c34097894e788f40baa80d8229890e9034473d Mon Sep 17 00:00:00 2001 From: Kostas Tsiounis Date: Wed, 27 Sep 2023 14:39:37 -0400 Subject: [PATCH 05/15] Always revert to Java impl when OpenSSL fails At the moment, if there is an OpenSSL failure when using NativeECKeyPairGenerator, a flag for that particular curve is set and the Sun Java implementation is used to complete the task. If another instance of NativeECKeyPairGenerator reaches the same failure, a ProviderException is thrown, as the issue with that particular curve should have been discovered during the call to initialize() thus creating and using an instance of ECKeyPairGenerator, and that particular point should never have been reached. However, in the scenario where the second instance of NativeECKeyPairGenerator has been initialized earlier, the flag for the problematic curve will never be discovered. This fix ensures that we always revert to the Sun Java implementation when an OpenSSL failure occurs. Signed-off by: Kostas Tsiounis --- .../security/ec/NativeECKeyPairGenerator.java | 28 ++++++------------- 1 file changed, 9 insertions(+), 19 deletions(-) diff --git a/closed/src/jdk.crypto.ec/share/classes/sun/security/ec/NativeECKeyPairGenerator.java b/closed/src/jdk.crypto.ec/share/classes/sun/security/ec/NativeECKeyPairGenerator.java index 9cb00f08018..8c2440b25bc 100644 --- a/closed/src/jdk.crypto.ec/share/classes/sun/security/ec/NativeECKeyPairGenerator.java +++ b/closed/src/jdk.crypto.ec/share/classes/sun/security/ec/NativeECKeyPairGenerator.java @@ -166,17 +166,13 @@ public KeyPair generateKeyPair() { return this.javaImplementation.generateKeyPair(); } - boolean absent; long nativePointer = NativeECUtil.encodeGroup(this.params); if (nativePointer == -1) { - absent = NativeECUtil.putCurveIfAbsent(this.curve, Boolean.FALSE); - if (!absent) { - throw new ProviderException("Could not encode group"); - } + NativeECUtil.putCurveIfAbsent(this.curve, Boolean.FALSE); if (nativeCryptTrace) { - System.err.println(this.curve + - " is not supported by OpenSSL, using Java crypto implementation."); + System.err.println("Could not encode group for curve " + this.curve + + " in OpenSSL, using Java crypto implementation."); } try { this.initializeJavaImplementation(); @@ -193,13 +189,10 @@ public KeyPair generateKeyPair() { } else if (field instanceof ECFieldF2m) { fieldType = NativeCrypto.ECField_F2m; } else { - absent = NativeECUtil.putCurveIfAbsent(this.curve, Boolean.FALSE); - if (!absent) { - throw new ProviderException("Field type not supported"); - } + NativeECUtil.putCurveIfAbsent(this.curve, Boolean.FALSE); if (nativeCryptTrace) { - System.err.println(this.curve + - " is not supported by OpenSSL, using Java crypto implementation."); + System.err.println("Field type not supported for curve " + this.curve + + " by OpenSSL, using Java crypto implementation."); } try { this.initializeJavaImplementation(); @@ -224,13 +217,10 @@ public KeyPair generateKeyPair() { fieldType); if (ret == -1) { - absent = NativeECUtil.putCurveIfAbsent(this.curve, Boolean.FALSE); - if (!absent) { - throw new ProviderException("Could not generate key pair"); - } + NativeECUtil.putCurveIfAbsent(this.curve, Boolean.FALSE); if (nativeCryptTrace) { - System.err.println(this.curve + - " is not supported by OpenSSL, using Java crypto implementation for key generation."); + System.err.println("Could not generate key pair for curve " + this.curve + + " using OpenSSL, using Java crypto implementation for key generation."); } try { this.initializeJavaImplementation(); From e5043a5ea129ff4b9230ce481b00c14f782c0127 Mon Sep 17 00:00:00 2001 From: "Keith W. Campbell" Date: Tue, 3 Oct 2023 13:39:36 -0400 Subject: [PATCH 06/15] Revert "8307603: [AIX] Broken build after JDK-8307301" Signed-off-by: Keith W. Campbell --- src/java.desktop/share/native/libharfbuzz/hb-subset.cc | 4 ---- 1 file changed, 4 deletions(-) diff --git a/src/java.desktop/share/native/libharfbuzz/hb-subset.cc b/src/java.desktop/share/native/libharfbuzz/hb-subset.cc index 538f4ec64bf..ff591cb259f 100644 --- a/src/java.desktop/share/native/libharfbuzz/hb-subset.cc +++ b/src/java.desktop/share/native/libharfbuzz/hb-subset.cc @@ -43,11 +43,7 @@ #include "OT/Color/sbix/sbix.hh" #include "hb-ot-os2-table.hh" #include "hb-ot-post-table.hh" - -#if !defined(AIX) #include "hb-ot-post-table-v2subset.hh" -#endif - #include "hb-ot-cff1-table.hh" #include "hb-ot-cff2-table.hh" #include "hb-ot-vorg-table.hh" From 803f3a437225f43c9fda3045320d429711a47a21 Mon Sep 17 00:00:00 2001 From: Aleksei Voitylov Date: Wed, 21 Jun 2023 13:36:34 +0000 Subject: [PATCH 07/15] 8296581: Better system proxy support Reviewed-by: mbalao Backport-of: 111811e64245ae720a0617b7de0c52c60bb2bac1 --- src/java.base/windows/native/libnet/DefaultProxySelector.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/java.base/windows/native/libnet/DefaultProxySelector.c b/src/java.base/windows/native/libnet/DefaultProxySelector.c index af21216178a..51add618f47 100644 --- a/src/java.base/windows/native/libnet/DefaultProxySelector.c +++ b/src/java.base/windows/native/libnet/DefaultProxySelector.c @@ -243,7 +243,7 @@ Java_sun_net_spi_DefaultProxySelector_getSystemProxies(JNIEnv *env, if (use_auto_proxy) { WCHAR url[MAX_STR_LEN]; /* Create url for WinHttpGetProxyForUrl */ - _snwprintf(url, sizeof(url) - 1, L"%s://%s", lpProto, lpHost); + swprintf(url, MAX_STR_LEN, L"%s://%s", lpProto, lpHost); /* Get proxy for URL from Windows */ use_auto_proxy = WinHttpGetProxyForUrl(session, &url[0], &auto_proxy_options, &proxy_info); if (use_auto_proxy) { From a33cc36df750055982aa442ddc361411311e880a Mon Sep 17 00:00:00 2001 From: Aleksei Voitylov Date: Fri, 23 Jun 2023 14:54:42 +0000 Subject: [PATCH 08/15] 8297856: Improve handling of Bidi characters Reviewed-by: mbalao Backport-of: 244b89fc786894cb8cca742f91875ebb98b603ff --- src/java.base/share/classes/jdk/internal/icu/text/BidiBase.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/java.base/share/classes/jdk/internal/icu/text/BidiBase.java b/src/java.base/share/classes/jdk/internal/icu/text/BidiBase.java index 1714c15143a..ae834f06584 100644 --- a/src/java.base/share/classes/jdk/internal/icu/text/BidiBase.java +++ b/src/java.base/share/classes/jdk/internal/icu/text/BidiBase.java @@ -4595,7 +4595,7 @@ public static void reorderVisually(byte[] levels, objectStart + " is out of range 0 to " + (objects.length-1)); } - if (0 > count || objects.length < (objectStart+count)) { + if (0 > count || objects.length - count < objectStart) { throw new IllegalArgumentException("Value count " + count + " is less than zero, or objectStart + count" + " is beyond objects length " + objects.length); From 193406b2545751e4a9cef8eb0f7ab243057881d1 Mon Sep 17 00:00:00 2001 From: Alexey Bakhtin Date: Wed, 6 Sep 2023 15:15:46 -0700 Subject: [PATCH 09/15] 8309966: Enhanced TLS connections Reviewed-by: mbalao Backport-of: d25ee81f56d67f2c51ba8b8c59f470c6f88ae47f --- .../security/cert/CertPathHelperImpl.java | 11 +- .../java/security/cert/X509CertSelector.java | 14 +-- .../provider/certpath/CertPathHelper.java | 14 +-- .../provider/certpath/ForwardBuilder.java | 65 ----------- .../provider/certpath/ForwardState.java | 50 -------- .../provider/certpath/SunCertPathBuilder.java | 109 ++++++++++++++---- 6 files changed, 90 insertions(+), 173 deletions(-) diff --git a/src/java.base/share/classes/java/security/cert/CertPathHelperImpl.java b/src/java.base/share/classes/java/security/cert/CertPathHelperImpl.java index bd6545a7357..3da6cb3dd4f 100644 --- a/src/java.base/share/classes/java/security/cert/CertPathHelperImpl.java +++ b/src/java.base/share/classes/java/security/cert/CertPathHelperImpl.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2002, 2020, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2002, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,12 +25,10 @@ package java.security.cert; -import java.util.*; +import java.util.Date; import sun.security.provider.certpath.CertPathHelper; -import sun.security.x509.GeneralNameInterface; - /** * Helper class that allows the Sun CertPath provider to access * implementation dependent APIs in CertPath framework. @@ -55,11 +53,6 @@ static synchronized void initialize() { } } - protected void implSetPathToNames(X509CertSelector sel, - Set names) { - sel.setPathToNamesInternal(names); - } - protected void implSetDateAndTime(X509CRLSelector sel, Date date, long skew) { sel.setDateAndTime(date, skew); } diff --git a/src/java.base/share/classes/java/security/cert/X509CertSelector.java b/src/java.base/share/classes/java/security/cert/X509CertSelector.java index 356e53e21fa..b838b3f51c2 100644 --- a/src/java.base/share/classes/java/security/cert/X509CertSelector.java +++ b/src/java.base/share/classes/java/security/cert/X509CertSelector.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2000, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -87,10 +87,6 @@ public class X509CertSelector implements CertSelector { private static final ObjectIdentifier ANY_EXTENDED_KEY_USAGE = ObjectIdentifier.of(KnownOIDs.anyExtendedKeyUsage); - static { - CertPathHelperImpl.initialize(); - } - private BigInteger serialNumber; private X500Principal issuer; private X500Principal subject; @@ -1159,14 +1155,6 @@ public void setPathToNames(Collection> names) throws IOException { } } - // called from CertPathHelper - void setPathToNamesInternal(Set names) { - // set names to non-null dummy value - // this breaks getPathToNames() - pathToNames = Collections.>emptySet(); - pathToGeneralNames = names; - } - /** * Adds a name to the pathToNames criterion. The {@code X509Certificate} * must not include name constraints that would prohibit building a diff --git a/src/java.base/share/classes/sun/security/provider/certpath/CertPathHelper.java b/src/java.base/share/classes/sun/security/provider/certpath/CertPathHelper.java index 7c02007422d..ebc2200f0e6 100644 --- a/src/java.base/share/classes/sun/security/provider/certpath/CertPathHelper.java +++ b/src/java.base/share/classes/sun/security/provider/certpath/CertPathHelper.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2002, 2020, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2002, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -26,14 +26,10 @@ package sun.security.provider.certpath; import java.util.Date; -import java.util.Set; import java.security.cert.TrustAnchor; -import java.security.cert.X509CertSelector; import java.security.cert.X509CRLSelector; -import sun.security.x509.GeneralNameInterface; - /** * Helper class that allows access to JDK specific known-public methods in the * java.security.cert package. It relies on a subclass in the @@ -55,18 +51,10 @@ protected CertPathHelper() { // empty } - protected abstract void implSetPathToNames(X509CertSelector sel, - Set names); - protected abstract void implSetDateAndTime(X509CRLSelector sel, Date date, long skew); protected abstract boolean implIsJdkCA(TrustAnchor anchor); - static void setPathToNames(X509CertSelector sel, - Set names) { - instance.implSetPathToNames(sel, names); - } - public static void setDateAndTime(X509CRLSelector sel, Date date, long skew) { instance.implSetDateAndTime(sel, date, skew); } diff --git a/src/java.base/share/classes/sun/security/provider/certpath/ForwardBuilder.java b/src/java.base/share/classes/sun/security/provider/certpath/ForwardBuilder.java index f05a924440b..2fbeb8856ee 100644 --- a/src/java.base/share/classes/sun/security/provider/certpath/ForwardBuilder.java +++ b/src/java.base/share/classes/sun/security/provider/certpath/ForwardBuilder.java @@ -48,7 +48,6 @@ import sun.security.x509.AuthorityInfoAccessExtension; import sun.security.x509.AuthorityKeyIdentifierExtension; import static sun.security.x509.PKIXExtensions.*; -import sun.security.x509.SubjectAlternativeNameExtension; import sun.security.x509.X500Name; import sun.security.x509.X509CertImpl; @@ -258,14 +257,6 @@ private void getMatchingCACerts(ForwardState currentState, */ caSelector.setSubject(currentState.issuerDN); - /* - * Match on subjectNamesTraversed (both DNs and AltNames) - * (checks that current cert's name constraints permit it - * to certify all the DNs and AltNames that have been traversed) - */ - CertPathHelper.setPathToNames - (caSelector, currentState.subjectNamesTraversed); - /* * check the validity period */ @@ -704,19 +695,6 @@ void verifyCert(X509Certificate cert, State currentState, // Don't bother to verify untrusted certificate more. currState.untrustedChecker.check(cert, Collections.emptySet()); - /* - * Abort if we encounter the same certificate or a certificate with - * the same public key, subject DN, and subjectAltNames as a cert - * that is already in path. - */ - for (X509Certificate cpListCert : certPathList) { - if (repeated(cpListCert, cert)) { - throw new CertPathValidatorException( - "cert with repeated subject, public key, and " + - "subjectAltNames detected"); - } - } - /* check if trusted cert */ boolean isTrustedCert = trustedCerts.contains(cert); @@ -794,49 +772,6 @@ void verifyCert(X509Certificate cert, State currentState, } } - /** - * Return true if two certificates are equal or have the same subject, - * public key, and subject alternative names. - */ - private static boolean repeated( - X509Certificate currCert, X509Certificate nextCert) { - if (currCert.equals(nextCert)) { - return true; - } - return (currCert.getSubjectX500Principal().equals( - nextCert.getSubjectX500Principal()) && - currCert.getPublicKey().equals(nextCert.getPublicKey()) && - altNamesEqual(currCert, nextCert)); - } - - /** - * Return true if two certificates have the same subject alternative names. - */ - private static boolean altNamesEqual( - X509Certificate currCert, X509Certificate nextCert) { - X509CertImpl curr, next; - try { - curr = X509CertImpl.toImpl(currCert); - next = X509CertImpl.toImpl(nextCert); - } catch (CertificateException ce) { - return false; - } - - SubjectAlternativeNameExtension currAltNameExt = - curr.getSubjectAlternativeNameExtension(); - SubjectAlternativeNameExtension nextAltNameExt = - next.getSubjectAlternativeNameExtension(); - if (currAltNameExt != null) { - if (nextAltNameExt == null) { - return false; - } - return Arrays.equals(currAltNameExt.getExtensionValue(), - nextAltNameExt.getExtensionValue()); - } else { - return (nextAltNameExt == null); - } - } - /** * Verifies whether the input certificate completes the path. * First checks the cert against each trust anchor that was specified, diff --git a/src/java.base/share/classes/sun/security/provider/certpath/ForwardState.java b/src/java.base/share/classes/sun/security/provider/certpath/ForwardState.java index 9d7af9b169b..9a5088babf2 100644 --- a/src/java.base/share/classes/sun/security/provider/certpath/ForwardState.java +++ b/src/java.base/share/classes/sun/security/provider/certpath/ForwardState.java @@ -31,17 +31,11 @@ import java.security.cert.PKIXCertPathChecker; import java.security.cert.X509Certificate; import java.util.ArrayList; -import java.util.HashSet; import java.util.List; import java.util.ListIterator; import javax.security.auth.x500.X500Principal; import sun.security.util.Debug; -import sun.security.x509.SubjectAlternativeNameExtension; -import sun.security.x509.GeneralNames; -import sun.security.x509.GeneralName; -import sun.security.x509.GeneralNameInterface; -import sun.security.x509.X500Name; import sun.security.x509.X509CertImpl; /** @@ -61,9 +55,6 @@ class ForwardState implements State { /* The last cert in the path */ X509CertImpl cert; - /* The set of subjectDNs and subjectAltNames of all certs in the path */ - HashSet subjectNamesTraversed; - /* * The number of intermediate CA certs which have been traversed so * far in the path @@ -73,7 +64,6 @@ class ForwardState implements State { /* Flag indicating if state is initial (path is just starting) */ private boolean init = true; - /* the untrusted certificates checker */ UntrustedChecker untrustedChecker; @@ -104,8 +94,6 @@ public String toString() { sb.append("\n issuerDN of last cert: ").append(issuerDN); sb.append("\n traversedCACerts: ").append(traversedCACerts); sb.append("\n init: ").append(String.valueOf(init)); - sb.append("\n subjectNamesTraversed: \n").append - (subjectNamesTraversed); sb.append("\n selfIssued: ").append (String.valueOf(selfIssued)); sb.append("]\n"); @@ -120,7 +108,6 @@ public String toString() { public void initState(List certPathCheckers) throws CertPathValidatorException { - subjectNamesTraversed = new HashSet(); traversedCACerts = 0; /* @@ -170,32 +157,6 @@ public void updateState(X509Certificate cert) } } - /* update subjectNamesTraversed only if this is the EE cert or if - this cert is not self-issued */ - if (init || !selfIssued) { - X500Principal subjName = cert.getSubjectX500Principal(); - subjectNamesTraversed.add(X500Name.asX500Name(subjName)); - - try { - SubjectAlternativeNameExtension subjAltNameExt - = icert.getSubjectAlternativeNameExtension(); - if (subjAltNameExt != null) { - GeneralNames gNames = subjAltNameExt.get( - SubjectAlternativeNameExtension.SUBJECT_NAME); - for (GeneralName gName : gNames.names()) { - subjectNamesTraversed.add(gName.getName()); - } - } - } catch (IOException e) { - if (debug != null) { - debug.println("ForwardState.updateState() unexpected " - + "exception"); - e.printStackTrace(); - } - throw new CertPathValidatorException(e); - } - } - init = false; } @@ -203,10 +164,6 @@ public void updateState(X509Certificate cert) * Clone current state. The state is cloned as each cert is * added to the path. This is necessary if backtracking occurs, * and a prior state needs to be restored. - * - * Note that this is a SMART clone. Not all fields are fully copied, - * because some of them will - * not have their contents modified by subsequent calls to updateState. */ @Override @SuppressWarnings("unchecked") // Safe casts assuming clone() works correctly @@ -226,13 +183,6 @@ public Object clone() { } } - /* - * Shallow copy traversed names. There is no need to - * deep copy contents, since the elements of the Set - * are never modified by subsequent calls to updateState(). - */ - clonedState.subjectNamesTraversed - = (HashSet)subjectNamesTraversed.clone(); return clonedState; } catch (CloneNotSupportedException e) { throw new InternalError(e.toString(), e); diff --git a/src/java.base/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java b/src/java.base/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java index fd4eb9543e9..fd5a01a923d 100644 --- a/src/java.base/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java +++ b/src/java.base/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java @@ -33,6 +33,7 @@ import java.security.cert.CertPathValidatorException.BasicReason; import java.security.cert.PKIXReason; import java.util.ArrayList; +import java.util.Arrays; import java.util.Collection; import java.util.Collections; import java.util.List; @@ -42,6 +43,7 @@ import sun.security.provider.certpath.PKIX.BuilderParams; import static sun.security.x509.PKIXExtensions.*; +import sun.security.x509.SubjectAlternativeNameExtension; import sun.security.x509.X509CertImpl; import sun.security.util.Debug; @@ -265,7 +267,7 @@ private void depthFirstSearchForward(X500Principal dN, */ Collection certs = builder.getMatchingCerts(currentState, buildParams.certStores()); - List vertices = addVertices(certs, adjList); + List vertices = addVertices(certs, adjList, cpList); if (debug != null) { debug.println("SunCertPathBuilder.depthFirstSearchForward(): " + "certs.size=" + vertices.size()); @@ -325,17 +327,32 @@ private void depthFirstSearchForward(X500Principal dN, * cert (which is signed by the trusted public key), but * don't add it yet to the cpList */ + PublicKey rootKey = cert.getPublicKey(); if (builder.trustAnchor.getTrustedCert() == null) { appendedCerts.add(0, cert); + rootKey = builder.trustAnchor.getCAPublicKey(); + if (debug != null) + debug.println( + "SunCertPathBuilder.depthFirstSearchForward " + + "using buildParams public key: " + + rootKey.toString()); } + TrustAnchor anchor = new TrustAnchor + (cert.getSubjectX500Principal(), rootKey, null); + // add the basic checker + List checkers = new ArrayList<>(); + BasicChecker basicChecker = new BasicChecker(anchor, + buildParams.date(), + buildParams.sigProvider(), + true); + checkers.add(basicChecker); Set initExpPolSet = Collections.singleton(PolicyChecker.ANY_POLICY); PolicyNodeImpl rootNode = new PolicyNodeImpl(null, PolicyChecker.ANY_POLICY, null, false, initExpPolSet, false); - List checkers = new ArrayList<>(); PolicyChecker policyChecker = new PolicyChecker(buildParams.initialPolicies(), appendedCerts.size(), @@ -346,28 +363,13 @@ private void depthFirstSearchForward(X500Principal dN, rootNode); checkers.add(policyChecker); + // add the constraints checker + checkers.add(new ConstraintsChecker(appendedCerts.size())); + // add the algorithm checker checkers.add(new AlgorithmChecker(builder.trustAnchor, buildParams.timestamp(), buildParams.variant())); - PublicKey rootKey = cert.getPublicKey(); - if (builder.trustAnchor.getTrustedCert() == null) { - rootKey = builder.trustAnchor.getCAPublicKey(); - if (debug != null) - debug.println( - "SunCertPathBuilder.depthFirstSearchForward " + - "using buildParams public key: " + - rootKey.toString()); - } - TrustAnchor anchor = new TrustAnchor - (cert.getSubjectX500Principal(), rootKey, null); - - // add the basic checker - BasicChecker basicChecker = new BasicChecker(anchor, - buildParams.date(), - buildParams.sigProvider(), - true); - checkers.add(basicChecker); buildParams.setCertPath(cf.generateCertPath(appendedCerts)); @@ -563,18 +565,79 @@ private void depthFirstSearchForward(X500Principal dN, * adjacency list. */ private static List addVertices(Collection certs, - List> adjList) + List> adjList, + List cpList) { List l = adjList.get(adjList.size() - 1); for (X509Certificate cert : certs) { - Vertex v = new Vertex(cert); - l.add(v); + boolean repeated = false; + for (X509Certificate cpListCert : cpList) { + /* + * Ignore if we encounter the same certificate or a + * certificate with the same public key, subject DN, and + * subjectAltNames as a cert that is already in path. + */ + if (repeated(cpListCert, cert)) { + if (debug != null) { + debug.println("cert with repeated subject, " + + "public key, and subjectAltNames detected"); + } + repeated = true; + break; + } + } + if (!repeated) { + l.add(new Vertex(cert)); + } } return l; } + /** + * Return true if two certificates are equal or have the same subject, + * public key, and subject alternative names. + */ + private static boolean repeated( + X509Certificate currCert, X509Certificate nextCert) { + if (currCert.equals(nextCert)) { + return true; + } + return (currCert.getSubjectX500Principal().equals( + nextCert.getSubjectX500Principal()) && + currCert.getPublicKey().equals(nextCert.getPublicKey()) && + altNamesEqual(currCert, nextCert)); + } + + /** + * Return true if two certificates have the same subject alternative names. + */ + private static boolean altNamesEqual( + X509Certificate currCert, X509Certificate nextCert) { + X509CertImpl curr, next; + try { + curr = X509CertImpl.toImpl(currCert); + next = X509CertImpl.toImpl(nextCert); + } catch (CertificateException ce) { + return false; + } + + SubjectAlternativeNameExtension currAltNameExt = + curr.getSubjectAlternativeNameExtension(); + SubjectAlternativeNameExtension nextAltNameExt = + next.getSubjectAlternativeNameExtension(); + if (currAltNameExt != null) { + if (nextAltNameExt == null) { + return false; + } + return Arrays.equals(currAltNameExt.getExtensionValue(), + nextAltNameExt.getExtensionValue()); + } else { + return (nextAltNameExt == null); + } + } + /** * Returns true if trust anchor certificate matches specified * certificate constraints. From d87fb1fece3283273414919b09fdf9e5093044f4 Mon Sep 17 00:00:00 2001 From: Yuri Nesterenko Date: Thu, 28 Apr 2022 02:48:20 +0000 Subject: [PATCH 10/15] 8284910: Buffer clean in PasswordCallback Reviewed-by: mbalao Backport-of: 89fd6d34f859d61d9cf5a1edf9419eee7c338390 --- .../auth/callback/PasswordCallback.java | 40 ++++++++++-- .../PasswordCallback/CheckCleanerBound.java | 61 +++++++++++++++++++ .../PasswordCallback/PasswordCleanup.java | 52 ++++++++++++++++ 3 files changed, 147 insertions(+), 6 deletions(-) create mode 100644 test/jdk/javax/security/auth/callback/PasswordCallback/CheckCleanerBound.java create mode 100644 test/jdk/javax/security/auth/callback/PasswordCallback/PasswordCleanup.java diff --git a/src/java.base/share/classes/javax/security/auth/callback/PasswordCallback.java b/src/java.base/share/classes/javax/security/auth/callback/PasswordCallback.java index 36a54b79958..69f57eb36f4 100644 --- a/src/java.base/share/classes/javax/security/auth/callback/PasswordCallback.java +++ b/src/java.base/share/classes/javax/security/auth/callback/PasswordCallback.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999, 2019, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1999, 2022, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,6 +25,11 @@ package javax.security.auth.callback; +import java.lang.ref.Cleaner; +import java.util.Arrays; + +import jdk.internal.ref.CleanerFactory; + /** *

Underlying security services instantiate and pass a * {@code PasswordCallback} to the {@code handle} @@ -38,16 +43,20 @@ public class PasswordCallback implements Callback, java.io.Serializable { @java.io.Serial private static final long serialVersionUID = 2267422647454909926L; + private transient Cleaner.Cleanable cleanable; + /** * @serial * @since 1.4 */ - private String prompt; + private final String prompt; + /** * @serial * @since 1.4 */ - private boolean echoOn; + private final boolean echoOn; + /** * @serial * @since 1.4 @@ -106,7 +115,19 @@ public boolean isEchoOn() { * @see #getPassword */ public void setPassword(char[] password) { + // Cleanup the last buffered password copy. + if (cleanable != null) { + cleanable.clean(); + cleanable = null; + } + + // Set the retrieved password. this.inputPassword = (password == null ? null : password.clone()); + + if (this.inputPassword != null) { + cleanable = CleanerFactory.cleaner().register( + this, cleanerFor(inputPassword)); + } } /** @@ -126,9 +147,16 @@ public char[] getPassword() { * Clear the retrieved password. */ public void clearPassword() { - if (inputPassword != null) { - for (int i = 0; i < inputPassword.length; i++) - inputPassword[i] = ' '; + // Cleanup the last retrieved password copy. + if (cleanable != null) { + cleanable.clean(); + cleanable = null; } } + + private static Runnable cleanerFor(char[] password) { + return () -> { + Arrays.fill(password, ' '); + }; + } } diff --git a/test/jdk/javax/security/auth/callback/PasswordCallback/CheckCleanerBound.java b/test/jdk/javax/security/auth/callback/PasswordCallback/CheckCleanerBound.java new file mode 100644 index 00000000000..cc995893f65 --- /dev/null +++ b/test/jdk/javax/security/auth/callback/PasswordCallback/CheckCleanerBound.java @@ -0,0 +1,61 @@ +/* + * Copyright (C) 2022 THL A29 Limited, a Tencent company. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +/* + * @test + * @bug 8284910 + * @summary Check that the cleaner is not bound to the PasswordCallback object + */ + +import javax.security.auth.callback.PasswordCallback; +import java.util.WeakHashMap; + +public final class CheckCleanerBound { + private final static WeakHashMap weakHashMap = + new WeakHashMap<>(); + + public static void main(String[] args) throws Exception { + // Create an object + PasswordCallback passwordCallback = + new PasswordCallback("Password: ", false); + passwordCallback.setPassword("ThisIsAPassword".toCharArray()); + + weakHashMap.put(passwordCallback, null); + passwordCallback = null; + + // Check if the PasswordCallback object could be collected. + // Wait to trigger the cleanup. + for (int i = 0; i < 10 && weakHashMap.size() != 0; i++) { + System.gc(); + } + + // Check if the object has been collected. The collection will not + // happen if the cleaner implementation in PasswordCallback is bound + // to the PasswordCallback object. + if (weakHashMap.size() > 0) { + throw new RuntimeException( + "PasswordCallback object is not released"); + } + } +} + diff --git a/test/jdk/javax/security/auth/callback/PasswordCallback/PasswordCleanup.java b/test/jdk/javax/security/auth/callback/PasswordCallback/PasswordCleanup.java new file mode 100644 index 00000000000..ea8b1d1c145 --- /dev/null +++ b/test/jdk/javax/security/auth/callback/PasswordCallback/PasswordCleanup.java @@ -0,0 +1,52 @@ +/* + * Copyright (C) 2022 THL A29 Limited, a Tencent company. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +/* + * @test + * @bug 8284910 + * @summary Check that PasswordCallback.clearPassword() clears the password + */ + +import javax.security.auth.callback.PasswordCallback; +import java.util.Arrays; + +public final class PasswordCleanup { + public static void main(String[] args) throws Exception { + // Create an object + PasswordCallback passwordCallback = + new PasswordCallback("Password: ", false); + passwordCallback.setPassword("ThisIsAPassword".toCharArray()); + char[] originPassword = passwordCallback.getPassword(); + + // Use password clear method. + passwordCallback.clearPassword(); + + // Check that the password is cleared. + char[] clearedPassword = passwordCallback.getPassword(); + if (Arrays.equals(originPassword, clearedPassword)) { + throw new RuntimeException( + "PasswordCallback.clearPassword() does not clear passwords"); + } + } +} + From 343128b4032f04e0dd08a3fe5bcdd8a8ac51a46d Mon Sep 17 00:00:00 2001 From: Yuri Nesterenko Date: Fri, 18 Aug 2023 15:01:58 +0300 Subject: [PATCH 11/15] 8286503: Enhance security classes Backport-of: 7f5e120a631ffda3e6d5efc03bae572b21877b69 --- .../com/sun/crypto/provider/DESKey.java | 27 +++++++-- .../com/sun/crypto/provider/DESedeKey.java | 29 ++++++++-- .../com/sun/crypto/provider/DHPrivateKey.java | 34 +++++++++-- .../com/sun/crypto/provider/DHPublicKey.java | 34 +++++++++-- .../com/sun/crypto/provider/PBEKey.java | 39 ++++++++++--- .../sun/crypto/provider/PBKDF2KeyImpl.java | 44 +++++++++++--- .../provider/TlsMasterSecretGenerator.java | 27 +++++++-- .../classes/java/security/CodeSigner.java | 15 +++-- .../javax/crypto/spec/SecretKeySpec.java | 27 ++++++++- .../auth/callback/ChoiceCallback.java | 53 ++++++++++++++--- .../auth/callback/ConfirmationCallback.java | 47 ++++++++++----- .../auth/callback/PasswordCallback.java | 29 +++++++++- .../security/provider/DSAPublicKeyImpl.java | 27 +++++++-- .../sun/security/provider/PolicyFile.java | 31 +++++++++- .../sun/security/provider/SecureRandom.java | 54 +++++++++++++++--- .../provider/certpath/X509CertPath.java | 23 ++++++-- .../security/rsa/RSAPrivateCrtKeyImpl.java | 22 ++++++- .../sun/security/rsa/RSAPrivateKeyImpl.java | 29 ++++++++-- .../sun/security/rsa/RSAPublicKeyImpl.java | 24 +++++++- .../sun/security/x509/X509CertImpl.java | 30 ++++++---- .../classes/sun/security/pkcs11/Token.java | 24 +++++++- .../sun/security/ec/ECPrivateKeyImpl.java | 21 ++++++- .../sun/security/ec/ECPublicKeyImpl.java | 26 ++++++++- .../sun/security/ec/XDHPrivateKeyImpl.java | 18 +++++- .../sun/security/ec/XDHPublicKeyImpl.java | 25 +++++++- .../security/ec/ed/EdDSAPrivateKeyImpl.java | 21 ++++++- .../security/ec/ed/EdDSAPublicKeyImpl.java | 25 +++++++- .../sun/security/mscapi/CPrivateKey.java | 26 ++++++++- .../sun/security/mscapi/CPublicKey.java | 31 +++++++++- .../com/sun/security/auth/LdapPrincipal.java | 33 ++++++++++- .../sun/security/auth/NTDomainPrincipal.java | 30 ++++++++-- .../classes/com/sun/security/auth/NTSid.java | 38 ++++++++++-- .../sun/security/auth/NTUserPrincipal.java | 31 ++++++++-- .../auth/UnixNumericGroupPrincipal.java | 32 +++++++++-- .../auth/UnixNumericUserPrincipal.java | 30 ++++++++-- .../com/sun/security/auth/UnixPrincipal.java | 30 ++++++++-- .../com/sun/security/auth/UserPrincipal.java | 22 ++++++- test/jdk/java/security/KeyRep/RSA.pre.1.5.key | Bin 1803 -> 0 bytes test/jdk/java/security/KeyRep/SerialOld.java | 14 +++-- 39 files changed, 955 insertions(+), 167 deletions(-) delete mode 100644 test/jdk/java/security/KeyRep/RSA.pre.1.5.key diff --git a/src/java.base/share/classes/com/sun/crypto/provider/DESKey.java b/src/java.base/share/classes/com/sun/crypto/provider/DESKey.java index 21e7247e87b..daea2659f63 100644 --- a/src/java.base/share/classes/com/sun/crypto/provider/DESKey.java +++ b/src/java.base/share/classes/com/sun/crypto/provider/DESKey.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2021, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,6 +25,8 @@ package com.sun.crypto.provider; +import java.io.IOException; +import java.io.InvalidObjectException; import java.lang.ref.Reference; import java.security.MessageDigest; import java.security.KeyRep; @@ -44,7 +46,7 @@ final class DESKey implements SecretKey { @java.io.Serial - static final long serialVersionUID = 7724971015953279128L; + private static final long serialVersionUID = 7724971015953279128L; private byte[] key; @@ -113,7 +115,7 @@ public int hashCode() { for (int i = 1; i < this.key.length; i++) { retval += this.key[i] * i; } - return(retval ^= "des".hashCode()); + return(retval ^ "des".hashCode()); } public boolean equals(Object obj) { @@ -134,15 +136,28 @@ public boolean equals(Object obj) { } /** - * readObject is called to restore the state of this key from - * a stream. + * Restores the state of this object from the stream. + * + * @param s the {@code ObjectInputStream} from which data is read + * @throws IOException if an I/O error occurs + * @throws ClassNotFoundException if a serialized class cannot be loaded */ @java.io.Serial private void readObject(java.io.ObjectInputStream s) - throws java.io.IOException, ClassNotFoundException + throws IOException, ClassNotFoundException { s.defaultReadObject(); + if ((key == null) || (key.length != DESKeySpec.DES_KEY_LEN)) { + throw new InvalidObjectException("Wrong key size"); + } key = key.clone(); + + DESKeyGenerator.setParityBit(key, 0); + + // Use the cleaner to zero the key when no longer referenced + final byte[] k = key; + CleanerFactory.cleaner().register(this, + () -> java.util.Arrays.fill(k, (byte)0x00)); } /** diff --git a/src/java.base/share/classes/com/sun/crypto/provider/DESedeKey.java b/src/java.base/share/classes/com/sun/crypto/provider/DESedeKey.java index 2847f305017..031495f27a4 100644 --- a/src/java.base/share/classes/com/sun/crypto/provider/DESedeKey.java +++ b/src/java.base/share/classes/com/sun/crypto/provider/DESedeKey.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2021, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,6 +25,8 @@ package com.sun.crypto.provider; +import java.io.IOException; +import java.io.InvalidObjectException; import java.lang.ref.Reference; import java.security.MessageDigest; import java.security.KeyRep; @@ -44,7 +46,7 @@ final class DESedeKey implements SecretKey { @java.io.Serial - static final long serialVersionUID = 2463986565756745178L; + private static final long serialVersionUID = 2463986565756745178L; private byte[] key; @@ -112,7 +114,7 @@ public int hashCode() { for (int i = 1; i < this.key.length; i++) { retval += this.key[i] * i; } - return(retval ^= "desede".hashCode()); + return(retval ^ "desede".hashCode()); } public boolean equals(Object obj) { @@ -134,15 +136,30 @@ public boolean equals(Object obj) { } /** - * readObject is called to restore the state of this key from - * a stream. + * Restores the state of this object from the stream. + * + * @param s the {@code ObjectInputStream} from which data is read + * @throws IOException if an I/O error occurs + * @throws ClassNotFoundException if a serialized class cannot be loaded */ @java.io.Serial private void readObject(java.io.ObjectInputStream s) - throws java.io.IOException, ClassNotFoundException + throws IOException, ClassNotFoundException { s.defaultReadObject(); + if ((key == null) || (key.length != DESedeKeySpec.DES_EDE_KEY_LEN)) { + throw new InvalidObjectException("Wrong key size"); + } key = key.clone(); + + DESKeyGenerator.setParityBit(key, 0); + DESKeyGenerator.setParityBit(key, 8); + DESKeyGenerator.setParityBit(key, 16); + + // Use the cleaner to zero the key when no longer referenced + final byte[] k = key; + CleanerFactory.cleaner().register(this, + () -> java.util.Arrays.fill(k, (byte)0x00)); } /** diff --git a/src/java.base/share/classes/com/sun/crypto/provider/DHPrivateKey.java b/src/java.base/share/classes/com/sun/crypto/provider/DHPrivateKey.java index dcce2c4efa5..b584ac415f7 100644 --- a/src/java.base/share/classes/com/sun/crypto/provider/DHPrivateKey.java +++ b/src/java.base/share/classes/com/sun/crypto/provider/DHPrivateKey.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2021, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -41,8 +41,6 @@ * algorithm. * * @author Jan Luehe - * - * * @see DHPublicKey * @see java.security.KeyAgreement */ @@ -50,7 +48,7 @@ final class DHPrivateKey implements PrivateKey, javax.crypto.interfaces.DHPrivateKey, Serializable { @java.io.Serial - static final long serialVersionUID = 7565477590005668886L; + private static final long serialVersionUID = 7565477590005668886L; // only supported version of PKCS#8 PrivateKeyInfo private static final BigInteger PKCS8_VERSION = BigInteger.ZERO; @@ -65,10 +63,10 @@ final class DHPrivateKey implements PrivateKey, private byte[] encodedKey; // the prime modulus - private BigInteger p; + private final BigInteger p; // the base generator - private BigInteger g; + private final BigInteger g; // the private-value length (optional) private int l; @@ -336,4 +334,28 @@ private Object writeReplace() throws java.io.ObjectStreamException { getFormat(), encodedKey); } + + /** + * Restores the state of this object from the stream. + *

+ * JDK 1.5+ objects use KeyReps instead. + * + * @param stream the {@code ObjectInputStream} from which data is read + * @throws IOException if an I/O error occurs + * @throws ClassNotFoundException if a serialized class cannot be loaded + */ + @java.io.Serial + private void readObject(ObjectInputStream stream) + throws IOException, ClassNotFoundException { + stream.defaultReadObject(); + if ((key == null) || (key.length == 0)) { + throw new InvalidObjectException("key not deserializable"); + } + this.key = key.clone(); + if ((encodedKey == null) || (encodedKey.length == 0)) { + throw new InvalidObjectException( + "encoded key not deserializable"); + } + this.encodedKey = encodedKey.clone(); + } } diff --git a/src/java.base/share/classes/com/sun/crypto/provider/DHPublicKey.java b/src/java.base/share/classes/com/sun/crypto/provider/DHPublicKey.java index bf33173ff2e..622aa2a512d 100644 --- a/src/java.base/share/classes/com/sun/crypto/provider/DHPublicKey.java +++ b/src/java.base/share/classes/com/sun/crypto/provider/DHPublicKey.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2020, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -40,8 +40,6 @@ * A public key in X.509 format for the Diffie-Hellman key agreement algorithm. * * @author Jan Luehe - * - * * @see DHPrivateKey * @see javax.crypto.KeyAgreement */ @@ -49,7 +47,7 @@ final class DHPublicKey implements PublicKey, javax.crypto.interfaces.DHPublicKey, Serializable { @java.io.Serial - static final long serialVersionUID = 7647557958927458271L; + private static final long serialVersionUID = 7647557958927458271L; // the public key private BigInteger y; @@ -61,10 +59,10 @@ final class DHPublicKey implements PublicKey, private byte[] encodedKey; // the prime modulus - private BigInteger p; + private final BigInteger p; // the base generator - private BigInteger g; + private final BigInteger g; // the private-value length (optional) private int l; @@ -324,4 +322,28 @@ private Object writeReplace() throws java.io.ObjectStreamException { getFormat(), getEncoded()); } + + /** + * Restores the state of this object from the stream. + *

+ * JDK 1.5+ objects use KeyReps instead. + * + * @param stream the {@code ObjectInputStream} from which data is read + * @throws IOException if an I/O error occurs + * @throws ClassNotFoundException if a serialized class cannot be loaded + */ + @java.io.Serial + private void readObject(ObjectInputStream stream) + throws IOException, ClassNotFoundException { + stream.defaultReadObject(); + if ((key == null) || (key.length == 0)) { + throw new InvalidObjectException("key not deserializable"); + } + this.key = key.clone(); + if ((encodedKey == null) || (encodedKey.length == 0)) { + throw new InvalidObjectException( + "encoded key not deserializable"); + } + this.encodedKey = encodedKey.clone(); + } } diff --git a/src/java.base/share/classes/com/sun/crypto/provider/PBEKey.java b/src/java.base/share/classes/com/sun/crypto/provider/PBEKey.java index 15c9c1f3d59..67efe74f858 100644 --- a/src/java.base/share/classes/com/sun/crypto/provider/PBEKey.java +++ b/src/java.base/share/classes/com/sun/crypto/provider/PBEKey.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2021, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,6 +25,8 @@ package com.sun.crypto.provider; +import java.io.IOException; +import java.io.InvalidObjectException; import java.lang.ref.Reference; import java.security.MessageDigest; import java.security.KeyRep; @@ -45,11 +47,11 @@ final class PBEKey implements SecretKey { @java.io.Serial - static final long serialVersionUID = -2234768909660948176L; + private static final long serialVersionUID = -2234768909660948176L; private byte[] key; - private String type; + private final String type; /** * Creates a PBE key from a given PBE key specification. @@ -110,7 +112,7 @@ public int hashCode() { for (int i = 1; i < this.key.length; i++) { retval += this.key[i] * i; } - return(retval ^= getAlgorithm().toLowerCase(Locale.ENGLISH).hashCode()); + return(retval ^ getAlgorithm().toLowerCase(Locale.ENGLISH).hashCode()); } public boolean equals(Object obj) { @@ -144,15 +146,38 @@ public void destroy() { } /** - * readObject is called to restore the state of this key from - * a stream. + * Restores the state of this object from the stream. + * + * @param s the {@code ObjectInputStream} from which data is read + * @throws IOException if an I/O error occurs + * @throws ClassNotFoundException if a serialized class cannot be loaded */ @java.io.Serial private void readObject(java.io.ObjectInputStream s) - throws java.io.IOException, ClassNotFoundException + throws IOException, ClassNotFoundException { s.defaultReadObject(); + if (key == null) { + throw new InvalidObjectException( + "PBEKey couldn't be deserialized"); + } key = key.clone(); + + // Accept "\0" to signify "zero-length password with no terminator". + if (!(key.length == 1 && key[0] == 0)) { + for (int i = 0; i < key.length; i++) { + if ((key[i] < '\u0020') || (key[i] > '\u007E')) { + throw new InvalidObjectException( + "PBEKey had non-ASCII chars"); + } + } + } + + // Use the cleaner to zero the key when no longer referenced + final byte[] k = this.key; + CleanerFactory.cleaner().register(this, + () -> Arrays.fill(k, (byte) 0x00)); + } diff --git a/src/java.base/share/classes/com/sun/crypto/provider/PBKDF2KeyImpl.java b/src/java.base/share/classes/com/sun/crypto/provider/PBKDF2KeyImpl.java index 1588385d653..29e331b944a 100644 --- a/src/java.base/share/classes/com/sun/crypto/provider/PBKDF2KeyImpl.java +++ b/src/java.base/share/classes/com/sun/crypto/provider/PBKDF2KeyImpl.java @@ -25,7 +25,7 @@ package com.sun.crypto.provider; -import java.io.ObjectStreamException; +import java.io.*; import java.lang.ref.Reference; import java.nio.ByteBuffer; import java.nio.CharBuffer; @@ -57,14 +57,14 @@ final class PBKDF2KeyImpl implements javax.crypto.interfaces.PBEKey { @java.io.Serial - static final long serialVersionUID = -2234868909660948157L; + private static final long serialVersionUID = -2234868909660948157L; - private char[] passwd; - private byte[] salt; - private int iterCount; + private final char[] passwd; + private final byte[] salt; + private final int iterCount; private byte[] key; - private Mac prf; + private final Mac prf; private static byte[] getPasswordBytes(char[] passwd) { CharBuffer cb = CharBuffer.wrap(passwd); @@ -146,13 +146,14 @@ private static byte[] deriveKey(final Mac prf, final byte[] password, int intR = keyLength - (intL - 1)*hlen; // residue byte[] ui = new byte[hlen]; byte[] ti = new byte[hlen]; + String algName = prf.getAlgorithm(); // SecretKeySpec cannot be used, since password can be empty here. SecretKey macKey = new SecretKey() { @java.io.Serial private static final long serialVersionUID = 7874493593505141603L; @Override public String getAlgorithm() { - return prf.getAlgorithm(); + return algName; } @Override public String getFormat() { @@ -165,18 +166,27 @@ public byte[] getEncoded() { @Override public int hashCode() { return Arrays.hashCode(password) * 41 + - prf.getAlgorithm().toLowerCase(Locale.ENGLISH).hashCode(); + algName.toLowerCase(Locale.ENGLISH).hashCode(); } @Override public boolean equals(Object obj) { if (this == obj) return true; if (this.getClass() != obj.getClass()) return false; SecretKey sk = (SecretKey)obj; - return prf.getAlgorithm().equalsIgnoreCase( + return algName.equalsIgnoreCase( sk.getAlgorithm()) && MessageDigest.isEqual(password, sk.getEncoded()); } + // This derived key can't be deserialized. + @java.io.Serial + private void readObject(ObjectInputStream stream) + throws IOException, ClassNotFoundException { + throw new InvalidObjectException( + "PBKDF2KeyImpl SecretKeys are not " + + "directly deserializable"); + } }; + prf.init(macKey); byte[] ibytes = new byte[4]; @@ -290,4 +300,20 @@ private Object writeReplace() throws ObjectStreamException { return new KeyRep(KeyRep.Type.SECRET, getAlgorithm(), getFormat(), key); } + + /** + * Restores the state of this object from the stream. + *

+ * Deserialization of this class is not supported. + * + * @param stream the {@code ObjectInputStream} from which data is read + * @throws IOException if an I/O error occurs + * @throws ClassNotFoundException if a serialized class cannot be loaded + */ + @java.io.Serial + private void readObject(ObjectInputStream stream) + throws IOException, ClassNotFoundException { + throw new InvalidObjectException( + "PBKDF2KeyImpl keys are not directly deserializable"); + } } diff --git a/src/java.base/share/classes/com/sun/crypto/provider/TlsMasterSecretGenerator.java b/src/java.base/share/classes/com/sun/crypto/provider/TlsMasterSecretGenerator.java index c533506b05f..09ab8143bdd 100644 --- a/src/java.base/share/classes/com/sun/crypto/provider/TlsMasterSecretGenerator.java +++ b/src/java.base/share/classes/com/sun/crypto/provider/TlsMasterSecretGenerator.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2005, 2021, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2005, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,6 +25,9 @@ package com.sun.crypto.provider; +import java.io.IOException; +import java.io.InvalidObjectException; +import java.io.ObjectInputStream; import java.security.*; import java.security.spec.AlgorithmParameterSpec; import java.util.Arrays; @@ -62,11 +65,11 @@ protected void engineInit(SecureRandom random) { @SuppressWarnings("deprecation") protected void engineInit(AlgorithmParameterSpec params, SecureRandom random) throws InvalidAlgorithmParameterException { - if (params instanceof TlsMasterSecretParameterSpec == false) { + if (!(params instanceof TlsMasterSecretParameterSpec)) { throw new InvalidAlgorithmParameterException(MSG); } this.spec = (TlsMasterSecretParameterSpec)params; - if ("RAW".equals(spec.getPremasterSecret().getFormat()) == false) { + if (!"RAW".equals(spec.getPremasterSecret().getFormat())) { throw new InvalidAlgorithmParameterException( "Key format must be RAW"); } @@ -193,6 +196,22 @@ public byte[] getEncoded() { return key.clone(); } - } + /** + * Restores the state of this object from the stream. + * + * @param stream the {@code ObjectInputStream} from which data is read + * @throws IOException if an I/O error occurs + * @throws ClassNotFoundException if a serialized class cannot be loaded + */ + @java.io.Serial + private void readObject(ObjectInputStream stream) + throws IOException, ClassNotFoundException { + stream.defaultReadObject(); + if ((key == null) || (key.length == 0)) { + throw new InvalidObjectException("TlsMasterSecretKey is null"); + } + key = key.clone(); + } + } } diff --git a/src/java.base/share/classes/java/security/CodeSigner.java b/src/java.base/share/classes/java/security/CodeSigner.java index 99748210d79..5306d17c8db 100644 --- a/src/java.base/share/classes/java/security/CodeSigner.java +++ b/src/java.base/share/classes/java/security/CodeSigner.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2021, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -156,9 +156,9 @@ public boolean equals(Object obj) { public String toString() { StringBuilder sb = new StringBuilder(); sb.append("("); - sb.append("Signer: " + signerCertPath.getCertificates().get(0)); + sb.append("Signer: ").append(signerCertPath.getCertificates().get(0)); if (timestamp != null) { - sb.append("timestamp: " + timestamp); + sb.append("timestamp: ").append(timestamp); } sb.append(")"); return sb.toString(); @@ -174,8 +174,11 @@ public String toString() { */ @java.io.Serial private void readObject(ObjectInputStream ois) - throws IOException, ClassNotFoundException { - ois.defaultReadObject(); - myhash = -1; + throws IOException, ClassNotFoundException { + ois.defaultReadObject(); + if (signerCertPath == null) { + throw new InvalidObjectException("signerCertPath is null"); + } + myhash = -1; } } diff --git a/src/java.base/share/classes/javax/crypto/spec/SecretKeySpec.java b/src/java.base/share/classes/javax/crypto/spec/SecretKeySpec.java index 41d4acab748..e691fa9fb66 100644 --- a/src/java.base/share/classes/javax/crypto/spec/SecretKeySpec.java +++ b/src/java.base/share/classes/javax/crypto/spec/SecretKeySpec.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1998, 2021, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1998, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -28,6 +28,9 @@ import jdk.internal.access.JavaxCryptoSpecAccess; import jdk.internal.access.SharedSecrets; +import java.io.IOException; +import java.io.InvalidObjectException; +import java.io.ObjectInputStream; import java.security.MessageDigest; import java.security.spec.KeySpec; import java.util.Arrays; @@ -259,4 +262,26 @@ public boolean equals(Object obj) { void clear() { Arrays.fill(key, (byte)0); } + + /** + * Restores the state of this object from the stream. + * + * @param stream the {@code ObjectInputStream} from which data is read + * @throws IOException if an I/O error occurs + * @throws ClassNotFoundException if a serialized class cannot be loaded + */ + @java.io.Serial + private void readObject(ObjectInputStream stream) + throws IOException, ClassNotFoundException { + stream.defaultReadObject(); + + if (key == null || algorithm == null) { + throw new InvalidObjectException("Missing argument"); + } + + this.key = key.clone(); + if (key.length == 0) { + throw new InvalidObjectException("Invalid key length"); + } + } } diff --git a/src/java.base/share/classes/javax/security/auth/callback/ChoiceCallback.java b/src/java.base/share/classes/javax/security/auth/callback/ChoiceCallback.java index f708df1c812..973d11b1c7e 100644 --- a/src/java.base/share/classes/javax/security/auth/callback/ChoiceCallback.java +++ b/src/java.base/share/classes/javax/security/auth/callback/ChoiceCallback.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999, 2020, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1999, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,6 +25,10 @@ package javax.security.auth.callback; +import java.io.IOException; +import java.io.InvalidObjectException; +import java.io.ObjectInputStream; + /** *

Underlying security services instantiate and pass a * {@code ChoiceCallback} to the {@code handle} @@ -48,7 +52,7 @@ public class ChoiceCallback implements Callback, java.io.Serializable { * @serial the list of choices * @since 1.4 */ - private final String[] choices; + private String[] choices; /** * @serial the choice to be used as the default choice * @since 1.4 @@ -72,7 +76,6 @@ public class ChoiceCallback implements Callback, java.io.Serializable { * a list of choices, a default choice, and a boolean specifying * whether or not multiple selections from the list of choices are allowed. * - * * @param prompt the prompt used to describe the list of choices. * * @param choices the list of choices. The array is cloned to protect @@ -105,15 +108,15 @@ public ChoiceCallback(String prompt, String[] choices, defaultChoice < 0 || defaultChoice >= choices.length) throw new IllegalArgumentException(); + this.prompt = prompt; + this.defaultChoice = defaultChoice; + this.multipleSelectionsAllowed = multipleSelectionsAllowed; + + this.choices = choices.clone(); for (int i = 0; i < choices.length; i++) { if (choices[i] == null || choices[i].isEmpty()) throw new IllegalArgumentException(); } - - this.prompt = prompt; - this.choices = choices.clone(); - this.defaultChoice = defaultChoice; - this.multipleSelectionsAllowed = multipleSelectionsAllowed; } /** @@ -197,4 +200,38 @@ public void setSelectedIndexes(int[] selections) { public int[] getSelectedIndexes() { return selections == null ? null : selections.clone(); } + + /** + * Restores the state of this object from the stream. + * + * @param stream the {@code ObjectInputStream} from which data is read + * @throws IOException if an I/O error occurs + * @throws ClassNotFoundException if a serialized class cannot be loaded + */ + @java.io.Serial + private void readObject(ObjectInputStream stream) + throws IOException, ClassNotFoundException { + stream.defaultReadObject(); + + if ((prompt == null) || prompt.isEmpty() || + (choices == null) || (choices.length == 0) || + (defaultChoice < 0) || (defaultChoice >= choices.length)) { + throw new InvalidObjectException( + "Missing/invalid prompt/choices"); + } + + choices = choices.clone(); + for (int i = 0; i < choices.length; i++) { + if ((choices[i] == null) || choices[i].isEmpty()) + throw new InvalidObjectException("Null/empty choices"); + } + + if (selections != null) { + selections = selections.clone(); + if (!multipleSelectionsAllowed && (selections.length != 1)) { + throw new InvalidObjectException( + "Multiple selections not allowed"); + } + } + } } diff --git a/src/java.base/share/classes/javax/security/auth/callback/ConfirmationCallback.java b/src/java.base/share/classes/javax/security/auth/callback/ConfirmationCallback.java index 926a3d889e2..437ce7041a7 100644 --- a/src/java.base/share/classes/javax/security/auth/callback/ConfirmationCallback.java +++ b/src/java.base/share/classes/javax/security/auth/callback/ConfirmationCallback.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999, 2020, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1999, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,6 +25,9 @@ package javax.security.auth.callback; +import java.io.IOException; +import java.io.ObjectInputStream; + /** *

Underlying security services instantiate and pass a * {@code ConfirmationCallback} to the {@code handle} @@ -147,7 +150,7 @@ public class ConfirmationCallback implements Callback, java.io.Serializable { * @serial * @since 1.4 */ - private final String[] options; + private String[] options; /** * @serial * @since 1.4 @@ -252,16 +255,16 @@ public ConfirmationCallback(int messageType, defaultOption < 0 || defaultOption >= options.length) throw new IllegalArgumentException(); - for (int i = 0; i < options.length; i++) { - if (options[i] == null || options[i].isEmpty()) - throw new IllegalArgumentException(); - } - this.prompt = null; this.messageType = messageType; this.optionType = UNSPECIFIED_OPTION; - this.options = options.clone(); this.defaultOption = defaultOption; + + this.options = options.clone(); + for (int i = 0; i < options.length; i++) { + if (options[i] == null || options[i].isEmpty()) + throw new IllegalArgumentException(); + } } /** @@ -372,16 +375,16 @@ public ConfirmationCallback(String prompt, int messageType, defaultOption < 0 || defaultOption >= options.length) throw new IllegalArgumentException(); - for (int i = 0; i < options.length; i++) { - if (options[i] == null || options[i].isEmpty()) - throw new IllegalArgumentException(); - } - this.prompt = prompt; this.messageType = messageType; this.optionType = UNSPECIFIED_OPTION; - this.options = options.clone(); this.defaultOption = defaultOption; + + this.options = options.clone(); + for (int i = 0; i < options.length; i++) { + if (options[i] == null || options[i].isEmpty()) + throw new IllegalArgumentException(); + } } /** @@ -487,4 +490,20 @@ public void setSelectedIndex(int selection) { public int getSelectedIndex() { return selection; } + + /** + * Restores the state of this object from the stream. + * + * @param stream the {@code ObjectInputStream} from which data is read + * @throws IOException if an I/O error occurs + * @throws ClassNotFoundException if a serialized class cannot be loaded + */ + @java.io.Serial + private void readObject(ObjectInputStream stream) + throws IOException, ClassNotFoundException { + stream.defaultReadObject(); + if (options != null) { + options = options.clone(); + } + } } diff --git a/src/java.base/share/classes/javax/security/auth/callback/PasswordCallback.java b/src/java.base/share/classes/javax/security/auth/callback/PasswordCallback.java index 69f57eb36f4..5e0f6bb5fde 100644 --- a/src/java.base/share/classes/javax/security/auth/callback/PasswordCallback.java +++ b/src/java.base/share/classes/javax/security/auth/callback/PasswordCallback.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999, 2022, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1999, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -30,6 +30,10 @@ import jdk.internal.ref.CleanerFactory; +import java.io.IOException; +import java.io.InvalidObjectException; +import java.io.ObjectInputStream; + /** *

Underlying security services instantiate and pass a * {@code PasswordCallback} to the {@code handle} @@ -159,4 +163,27 @@ private static Runnable cleanerFor(char[] password) { Arrays.fill(password, ' '); }; } + + /** + * Restores the state of this object from the stream. + * + * @param stream the {@code ObjectInputStream} from which data is read + * @throws IOException if an I/O error occurs + * @throws ClassNotFoundException if a serialized class cannot be loaded + */ + @java.io.Serial + private void readObject(ObjectInputStream stream) + throws IOException, ClassNotFoundException { + stream.defaultReadObject(); + + if (prompt == null || prompt.isEmpty()) { + throw new InvalidObjectException("Missing prompt"); + } + + if (inputPassword != null) { + inputPassword = inputPassword.clone(); + cleanable = CleanerFactory.cleaner().register( + this, cleanerFor(inputPassword)); + } + } } diff --git a/src/java.base/share/classes/sun/security/provider/DSAPublicKeyImpl.java b/src/java.base/share/classes/sun/security/provider/DSAPublicKeyImpl.java index 2c402ef2863..ca84d202c14 100644 --- a/src/java.base/share/classes/sun/security/provider/DSAPublicKeyImpl.java +++ b/src/java.base/share/classes/sun/security/provider/DSAPublicKeyImpl.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2005, 2019, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2005, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,17 +25,20 @@ package sun.security.provider; +import java.io.IOException; +import java.io.InvalidObjectException; +import java.io.ObjectInputStream; import java.math.BigInteger; import java.security.KeyRep; import java.security.InvalidKeyException; /** * An X.509 public key for the Digital Signature Algorithm. - * + *

* The difference between DSAPublicKeyImpl and DSAPublicKey is that * DSAPublicKeyImpl calls writeReplace with KeyRep, and DSAPublicKey * calls writeObject. - * + *

* See the comments in DSAKeyFactory, 4532506, and 6232513. * */ @@ -72,10 +75,26 @@ public DSAPublicKeyImpl(byte[] encoded) throws InvalidKeyException { } @java.io.Serial - protected Object writeReplace() throws java.io.ObjectStreamException { + private Object writeReplace() throws java.io.ObjectStreamException { return new KeyRep(KeyRep.Type.PUBLIC, getAlgorithm(), getFormat(), getEncoded()); } + + /** + * Restores the state of this object from the stream. + *

+ * Deserialization of this object is not supported. + * + * @param stream the {@code ObjectInputStream} from which data is read + * @throws IOException if an I/O error occurs + * @throws ClassNotFoundException if a serialized class cannot be loaded + */ + @java.io.Serial + private void readObject(ObjectInputStream stream) + throws IOException, ClassNotFoundException { + throw new InvalidObjectException( + "DSAPublicKeyImpl keys are not directly deserializable"); + } } diff --git a/src/java.base/share/classes/sun/security/provider/PolicyFile.java b/src/java.base/share/classes/sun/security/provider/PolicyFile.java index a9be95dd598..3dfc12ac377 100644 --- a/src/java.base/share/classes/sun/security/provider/PolicyFile.java +++ b/src/java.base/share/classes/sun/security/provider/PolicyFile.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2021, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -2097,8 +2097,17 @@ public SelfPermission(String type, String name, String actions, this.actions.equals(that.actions))) return false; - if (this.certs.length != that.certs.length) + if ((this.certs == null) && (that.certs == null)) { + return true; + } + + if ((this.certs == null) || (that.certs == null)) { + return false; + } + + if (this.certs.length != that.certs.length) { return false; + } int i,j; boolean match; @@ -2168,7 +2177,7 @@ public String getSelfActions() { } public Certificate[] getCerts() { - return certs; + return (certs == null ? null : certs.clone()); } /** @@ -2181,6 +2190,22 @@ public Certificate[] getCerts() { @Override public String toString() { return "(SelfPermission " + type + " " + name + " " + actions + ")"; } + + /** + * Restores the state of this object from the stream. + * + * @param stream the {@code ObjectInputStream} from which data is read + * @throws IOException if an I/O error occurs + * @throws ClassNotFoundException if a serialized class cannot be loaded + */ + @java.io.Serial + private void readObject(ObjectInputStream stream) + throws IOException, ClassNotFoundException { + stream.defaultReadObject(); + if (certs != null) { + this.certs = certs.clone(); + } + } } /** diff --git a/src/java.base/share/classes/sun/security/provider/SecureRandom.java b/src/java.base/share/classes/sun/security/provider/SecureRandom.java index 0ccaa81289c..c5e901322fb 100644 --- a/src/java.base/share/classes/sun/security/provider/SecureRandom.java +++ b/src/java.base/share/classes/sun/security/provider/SecureRandom.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1998, 2020, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1998, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -26,6 +26,7 @@ package sun.security.provider; import java.io.IOException; +import java.io.InvalidObjectException; import java.security.MessageDigest; import java.security.SecureRandomSpi; import java.security.NoSuchAlgorithmException; @@ -193,7 +194,7 @@ private static void updateState(byte[] state, byte[] output) { /** * This static object will be seeded by SeedGenerator, and used * to seed future instances of SHA1PRNG SecureRandoms. - * + *

* Bloch, Effective Java Second Edition: Item 71 */ private static class SeederHolder { @@ -268,18 +269,24 @@ public synchronized void engineNextBytes(byte[] result) { } /* - * readObject is called to restore the state of the random object from - * a stream. We have to create a new instance of MessageDigest, because + * This method is called to restore the state of the random object from + * a stream. + *

+ * We have to create a new instance of {@code MessageDigest}, because * it is not included in the stream (it is marked "transient"). - * - * Note that the engineNextBytes() method invoked on the restored random - * object will yield the exact same (random) bytes as the original. + *

+ * Note that the {@code engineNextBytes()} method invoked on the restored + * random object will yield the exact same (random) bytes as the original. * If you do not want this behaviour, you should re-seed the restored - * random object, using engineSetSeed(). + * random object, using {@code engineSetSeed()}. + * + * @param s the {@code ObjectInputStream} from which data is read + * @throws IOException if an I/O error occurs + * @throws ClassNotFoundException if a serialized class cannot be loaded */ @java.io.Serial private void readObject(java.io.ObjectInputStream s) - throws IOException, ClassNotFoundException { + throws IOException, ClassNotFoundException { s.defaultReadObject (); @@ -298,5 +305,34 @@ private void readObject(java.io.ObjectInputStream s) "internal error: SHA-1 not available.", exc); } } + + // Various consistency checks + if ((remainder == null) && (remCount > 0)) { + throw new InvalidObjectException( + "Remainder indicated, but no data available"); + } + + // Not yet allocated state + if (state == null) { + if (remainder == null) { + return; + } else { + throw new InvalidObjectException( + "Inconsistent buffer allocations"); + } + } + + // Sanity check on sizes/pointer + if ((state.length != DIGEST_SIZE) || + ((remainder != null) && (remainder.length != DIGEST_SIZE)) || + (remCount < 0 ) || (remCount >= DIGEST_SIZE)) { + throw new InvalidObjectException( + "Inconsistent buffer sizes/state"); + } + + state = state.clone(); + if (remainder != null) { + remainder = remainder.clone(); + } } } diff --git a/src/java.base/share/classes/sun/security/provider/certpath/X509CertPath.java b/src/java.base/share/classes/sun/security/provider/certpath/X509CertPath.java index e8e1e82be8b..d692f592e8d 100644 --- a/src/java.base/share/classes/sun/security/provider/certpath/X509CertPath.java +++ b/src/java.base/share/classes/sun/security/provider/certpath/X509CertPath.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2000, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,10 +25,7 @@ package sun.security.provider.certpath; -import java.io.ByteArrayInputStream; -import java.io.ByteArrayOutputStream; -import java.io.IOException; -import java.io.InputStream; +import java.io.*; import java.security.cert.CertificateEncodingException; import java.security.cert.Certificate; import java.security.cert.CertificateException; @@ -396,4 +393,20 @@ public Iterator getEncodings() { public List getCertificates() { return certs; } + + /** + * Restores the state of this object from the stream. + *

+ * Deserialization of this object is not supported. + * + * @param stream the {@code ObjectInputStream} from which data is read + * @throws IOException if an I/O error occurs + * @throws ClassNotFoundException if a serialized class cannot be loaded + */ + @java.io.Serial + private void readObject(ObjectInputStream stream) + throws IOException, ClassNotFoundException { + throw new InvalidObjectException( + "X509CertPaths are not directly deserializable"); + } } diff --git a/src/java.base/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java b/src/java.base/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java index fbc9fda05fa..4c5af4b953c 100644 --- a/src/java.base/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java +++ b/src/java.base/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2021, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -26,6 +26,8 @@ package sun.security.rsa; import java.io.IOException; +import java.io.InvalidObjectException; +import java.io.ObjectInputStream; import java.math.BigInteger; import java.security.*; @@ -43,7 +45,7 @@ * RSA private key implementation for "RSA", "RSASSA-PSS" algorithms in CRT form. * For non-CRT private keys, see RSAPrivateKeyImpl. We need separate classes * to ensure correct behavior in instanceof checks, etc. - * + *

* Note: RSA keys must be at least 512 bits long * * @see RSAPrivateKeyImpl @@ -361,4 +363,20 @@ private void parseKeyBits() throws InvalidKeyException { throw new InvalidKeyException("Invalid RSA private key", e); } } + + /** + * Restores the state of this object from the stream. + *

+ * Deserialization of this object is not supported. + * + * @param stream the {@code ObjectInputStream} from which data is read + * @throws IOException if an I/O error occurs + * @throws ClassNotFoundException if a serialized class cannot be loaded + */ + @java.io.Serial + private void readObject(ObjectInputStream stream) + throws IOException, ClassNotFoundException { + throw new InvalidObjectException( + "RSAPrivateCrtKeyImpl keys are not directly deserializable"); + } } diff --git a/src/java.base/share/classes/sun/security/rsa/RSAPrivateKeyImpl.java b/src/java.base/share/classes/sun/security/rsa/RSAPrivateKeyImpl.java index 699a5db6367..5a645c7e887 100644 --- a/src/java.base/share/classes/sun/security/rsa/RSAPrivateKeyImpl.java +++ b/src/java.base/share/classes/sun/security/rsa/RSAPrivateKeyImpl.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2021, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -26,6 +26,8 @@ package sun.security.rsa; import java.io.IOException; +import java.io.InvalidObjectException; +import java.io.ObjectInputStream; import java.math.BigInteger; import java.security.*; @@ -40,10 +42,11 @@ /** * RSA private key implementation for "RSA", "RSASSA-PSS" algorithms in non-CRT - * form (modulus, private exponent only). For CRT private keys, see - * RSAPrivateCrtKeyImpl. We need separate classes to ensure correct behavior - * in instanceof checks, etc. - * + * form (modulus, private exponent only). + *

+ * For CRT private keys, see RSAPrivateCrtKeyImpl. We need separate classes + * to ensure correct behavior in instanceof checks, etc. + *

* Note: RSA keys must be at least 512 bits long * * @see RSAPrivateCrtKeyImpl @@ -147,4 +150,20 @@ public String toString() { + " bits" + "\n params: " + keyParams + "\n modulus: " + n + "\n private exponent: " + d; } + + /** + * Restores the state of this object from the stream. + *

+ * Deserialization of this object is not supported. + * + * @param stream the {@code ObjectInputStream} from which data is read + * @throws IOException if an I/O error occurs + * @throws ClassNotFoundException if a serialized class cannot be loaded + */ + @java.io.Serial + private void readObject(ObjectInputStream stream) + throws IOException, ClassNotFoundException { + throw new InvalidObjectException( + "RSAPrivateKeyImpl keys are not directly deserializable"); + } } diff --git a/src/java.base/share/classes/sun/security/rsa/RSAPublicKeyImpl.java b/src/java.base/share/classes/sun/security/rsa/RSAPublicKeyImpl.java index d5002c15000..61522cad2fe 100644 --- a/src/java.base/share/classes/sun/security/rsa/RSAPublicKeyImpl.java +++ b/src/java.base/share/classes/sun/security/rsa/RSAPublicKeyImpl.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2021, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -26,6 +26,8 @@ package sun.security.rsa; import java.io.IOException; +import java.io.InvalidObjectException; +import java.io.ObjectInputStream; import java.math.BigInteger; import java.security.*; @@ -39,7 +41,7 @@ /** * RSA public key implementation for "RSA", "RSASSA-PSS" algorithms. - * + *

* Note: RSA keys must be at least 512 bits long * * @see RSAPrivateCrtKeyImpl @@ -238,10 +240,26 @@ public String toString() { } @java.io.Serial - protected Object writeReplace() throws java.io.ObjectStreamException { + private Object writeReplace() throws java.io.ObjectStreamException { return new KeyRep(KeyRep.Type.PUBLIC, getAlgorithm(), getFormat(), getEncoded()); } + + /** + * Restores the state of this object from the stream. + *

+ * Deserialization of this object is not supported. + * + * @param stream the {@code ObjectInputStream} from which data is read + * @throws IOException if an I/O error occurs + * @throws ClassNotFoundException if a serialized class cannot be loaded + */ + @java.io.Serial + private void readObject(ObjectInputStream stream) + throws IOException, ClassNotFoundException { + throw new InvalidObjectException( + "RSAPublicKeyImpl keys are not directly deserializable"); + } } diff --git a/src/java.base/share/classes/sun/security/x509/X509CertImpl.java b/src/java.base/share/classes/sun/security/x509/X509CertImpl.java index 254016d6a28..5a296bf9494 100644 --- a/src/java.base/share/classes/sun/security/x509/X509CertImpl.java +++ b/src/java.base/share/classes/sun/security/x509/X509CertImpl.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 2021, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1996, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,13 +25,7 @@ package sun.security.x509; -import java.io.BufferedReader; -import java.io.BufferedInputStream; -import java.io.ByteArrayOutputStream; -import java.io.IOException; -import java.io.InputStream; -import java.io.InputStreamReader; -import java.io.OutputStream; +import java.io.*; import java.math.BigInteger; import java.security.*; import java.security.cert.*; @@ -629,7 +623,7 @@ public void checkValidity(Date date) /** * Return the requested attribute from the certificate. - * + *

* Note that the X509CertInfo is not cloned for performance reasons. * Callers must ensure that they do not modify it. All other * attributes are cloned. @@ -1534,7 +1528,7 @@ private static Collection> makeAltNames(GeneralNames names) { for (GeneralName gname : names.names()) { GeneralNameInterface name = gname.getName(); List nameEntry = new ArrayList<>(2); - nameEntry.add(Integer.valueOf(name.getType())); + nameEntry.add(name.getType()); switch (name.getType()) { case GeneralNameInterface.NAME_RFC822: nameEntry.add(((RFC822Name) name).getName()); @@ -1972,4 +1966,20 @@ public static String getFingerprint(String algorithm, } } } + + /** + * Restores the state of this object from the stream. + *

+ * Deserialization of this object is not supported. + * + * @param stream the {@code ObjectInputStream} from which data is read + * @throws IOException if an I/O error occurs + * @throws ClassNotFoundException if a serialized class cannot be loaded + */ + @java.io.Serial + private void readObject(ObjectInputStream stream) + throws IOException, ClassNotFoundException { + throw new InvalidObjectException( + "X509CertImpls are not directly deserializable"); + } } diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java index 9858a5faedf..1f94fe3e18a 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2021, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -419,13 +419,30 @@ private synchronized byte[] getTokenId() { private static final List> serializedTokens = new ArrayList>(); + @java.io.Serial private Object writeReplace() throws ObjectStreamException { if (isValid() == false) { - throw new NotSerializableException("Token has been removed"); + throw new InvalidObjectException("Token has been removed"); } return new TokenRep(this); } + /** + * Restores the state of this object from the stream. + *

+ * Deserialization of this object is not supported. + * + * @param stream the {@code ObjectInputStream} from which data is read + * @throws IOException if an I/O error occurs + * @throws ClassNotFoundException if a serialized class cannot be loaded + */ + @java.io.Serial + private void readObject(ObjectInputStream stream) + throws IOException, ClassNotFoundException { + throw new InvalidObjectException( + "Tokens are not directly deserializable"); + } + // serialized representation of a token // tokens can only be de-serialized within the same VM invocation // and if the token has not been removed in the meantime @@ -439,6 +456,7 @@ private static class TokenRep implements Serializable { tokenId = token.getTokenId(); } + @java.io.Serial private Object readResolve() throws ObjectStreamException { for (Reference tokenRef : serializedTokens) { Token token = tokenRef.get(); @@ -448,7 +466,7 @@ private Object readResolve() throws ObjectStreamException { } } } - throw new NotSerializableException("Could not find token"); + throw new InvalidObjectException("Could not find token"); } } diff --git a/src/jdk.crypto.ec/share/classes/sun/security/ec/ECPrivateKeyImpl.java b/src/jdk.crypto.ec/share/classes/sun/security/ec/ECPrivateKeyImpl.java index bf940a73100..88cde0c55df 100644 --- a/src/jdk.crypto.ec/share/classes/sun/security/ec/ECPrivateKeyImpl.java +++ b/src/jdk.crypto.ec/share/classes/sun/security/ec/ECPrivateKeyImpl.java @@ -26,6 +26,8 @@ package sun.security.ec; import java.io.IOException; +import java.io.InvalidObjectException; +import java.io.ObjectInputStream; import java.math.BigInteger; import java.security.*; @@ -39,7 +41,7 @@ /** * Key implementation for EC private keys. - * + *

* ASN.1 syntax for EC private keys from SEC 1 v1.5 (draft): * * 

@@ -62,6 +64,7 @@
  */
 public final class ECPrivateKeyImpl extends PKCS8Key implements ECPrivateKey {
 
+    @java.io.Serial
     private static final long serialVersionUID = 88695385615075129L;
 
     private BigInteger s;       // private value
@@ -205,4 +208,20 @@ private void parseKeyBits() throws InvalidKeyException {
             throw new InvalidKeyException("Invalid EC private key", e);
         }
     }
+
+    /**
+     * Restores the state of this object from the stream.
+     * 

+     * Deserialization of this object is not supported.
+     *
+     * @param  stream the {@code ObjectInputStream} from which data is read
+     * @throws IOException if an I/O error occurs
+     * @throws ClassNotFoundException if a serialized class cannot be loaded
+     */
+    @java.io.Serial
+    private void readObject(ObjectInputStream stream)
+            throws IOException, ClassNotFoundException {
+        throw new InvalidObjectException(
+                "ECPrivateKeyImpl keys are not directly deserializable");
+    }
 }
diff --git a/src/jdk.crypto.ec/share/classes/sun/security/ec/ECPublicKeyImpl.java b/src/jdk.crypto.ec/share/classes/sun/security/ec/ECPublicKeyImpl.java
index bc403026c4d..c88fa450734 100644
--- a/src/jdk.crypto.ec/share/classes/sun/security/ec/ECPublicKeyImpl.java
+++ b/src/jdk.crypto.ec/share/classes/sun/security/ec/ECPublicKeyImpl.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2006, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2006, 2023, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -27,6 +27,8 @@
 
 import java.io.IOException;
 
+import java.io.InvalidObjectException;
+import java.io.ObjectInputStream;
 import java.security.*;
 import java.security.interfaces.*;
 import java.security.spec.*;
@@ -44,6 +46,7 @@
  */
 public final class ECPublicKeyImpl extends X509Key implements ECPublicKey {
 
+    @java.io.Serial
     private static final long serialVersionUID = -2462037275160462289L;
 
     private ECPoint w;
@@ -122,10 +125,27 @@ public String toString() {
             + "\n  parameters: " + params;
     }
 
-    protected Object writeReplace() throws java.io.ObjectStreamException {
+    @java.io.Serial
+    private Object writeReplace() throws java.io.ObjectStreamException {
         return new KeyRep(KeyRep.Type.PUBLIC,
                         getAlgorithm(),
                         getFormat(),
                         getEncoded());
     }
-}
+
+    /**
+     * Restores the state of this object from the stream.
+     * 

+     * Deserialization of this object is not supported.
+     *
+     * @param  stream the {@code ObjectInputStream} from which data is read
+     * @throws IOException if an I/O error occurs
+     * @throws ClassNotFoundException if a serialized class cannot be loaded
+     */
+    @java.io.Serial
+    private void readObject(ObjectInputStream stream)
+            throws IOException, ClassNotFoundException {
+        throw new InvalidObjectException(
+                "ECPublicKeyImpl keys are not directly deserializable");
+    }
+}
\ No newline at end of file
diff --git a/src/jdk.crypto.ec/share/classes/sun/security/ec/XDHPrivateKeyImpl.java b/src/jdk.crypto.ec/share/classes/sun/security/ec/XDHPrivateKeyImpl.java
index beeda53006f..4764110b117 100644
--- a/src/jdk.crypto.ec/share/classes/sun/security/ec/XDHPrivateKeyImpl.java
+++ b/src/jdk.crypto.ec/share/classes/sun/security/ec/XDHPrivateKeyImpl.java
@@ -37,6 +37,7 @@
 
 public final class XDHPrivateKeyImpl extends PKCS8Key implements XECPrivateKey {
 
+    @java.io.Serial
     private static final long serialVersionUID = 1L;
 
     private final AlgorithmParameterSpec paramSpec;
@@ -101,5 +102,20 @@ public AlgorithmParameterSpec getParams() {
     public Optional getScalar() {
         return Optional.of(getK());
     }
-}
 
+    /**
+     * Restores the state of this object from the stream.
+     * 

+     * Deserialization of this object is not supported.
+     *
+     * @param  stream the {@code ObjectInputStream} from which data is read
+     * @throws IOException if an I/O error occurs
+     * @throws ClassNotFoundException if a serialized class cannot be loaded
+     */
+    @java.io.Serial
+    private void readObject(ObjectInputStream stream)
+            throws IOException, ClassNotFoundException {
+        throw new InvalidObjectException(
+                "XDHPrivateKeyImpl keys are not directly deserializable");
+    }
+}
diff --git a/src/jdk.crypto.ec/share/classes/sun/security/ec/XDHPublicKeyImpl.java b/src/jdk.crypto.ec/share/classes/sun/security/ec/XDHPublicKeyImpl.java
index 0b9b6d93c04..a2a21d2d98b 100644
--- a/src/jdk.crypto.ec/share/classes/sun/security/ec/XDHPublicKeyImpl.java
+++ b/src/jdk.crypto.ec/share/classes/sun/security/ec/XDHPublicKeyImpl.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2018, 2023, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,6 +25,9 @@
 
 package sun.security.ec;
 
+import java.io.IOException;
+import java.io.InvalidObjectException;
+import java.io.ObjectInputStream;
 import java.math.BigInteger;
 import java.security.InvalidKeyException;
 import java.security.KeyRep;
@@ -40,6 +43,7 @@
 
 public final class XDHPublicKeyImpl extends X509Key implements XECPublicKey {
 
+    @java.io.Serial
     private static final long serialVersionUID = 1L;
 
     private final BigInteger u;
@@ -107,7 +111,8 @@ public String getAlgorithm() {
         return "XDH";
     }
 
-    protected Object writeReplace() throws java.io.ObjectStreamException {
+    @java.io.Serial
+    private Object writeReplace() throws java.io.ObjectStreamException {
         return new KeyRep(KeyRep.Type.PUBLIC,
             getAlgorithm(),
             getFormat(),
@@ -130,5 +135,21 @@ private static void reverse(byte [] arr) {
             j--;
         }
     }
+
+    /**
+     * Restores the state of this object from the stream.
+     * 

+     * Deserialization of this object is not supported.
+     *
+     * @param  stream the {@code ObjectInputStream} from which data is read
+     * @throws IOException if an I/O error occurs
+     * @throws ClassNotFoundException if a serialized class cannot be loaded
+     */
+    @java.io.Serial
+    private void readObject(ObjectInputStream stream)
+            throws IOException, ClassNotFoundException {
+        throw new InvalidObjectException(
+                "XDHPublicKeyImpl keys are not directly deserializable");
+    }
 }
 
diff --git a/src/jdk.crypto.ec/share/classes/sun/security/ec/ed/EdDSAPrivateKeyImpl.java b/src/jdk.crypto.ec/share/classes/sun/security/ec/ed/EdDSAPrivateKeyImpl.java
index a4f769e55f6..8f7cbd2b3f9 100644
--- a/src/jdk.crypto.ec/share/classes/sun/security/ec/ed/EdDSAPrivateKeyImpl.java
+++ b/src/jdk.crypto.ec/share/classes/sun/security/ec/ed/EdDSAPrivateKeyImpl.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020, 2021, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2020, 2023, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -26,6 +26,8 @@
 package sun.security.ec.ed;
 
 import java.io.IOException;
+import java.io.InvalidObjectException;
+import java.io.ObjectInputStream;
 import java.security.InvalidKeyException;
 import java.security.ProviderException;
 import java.security.interfaces.EdECPrivateKey;
@@ -39,6 +41,7 @@
 public final class EdDSAPrivateKeyImpl
         extends PKCS8Key implements EdECPrivateKey {
 
+    @java.io.Serial
     private static final long serialVersionUID = 1L;
 
     private final NamedParameterSpec paramSpec;
@@ -104,4 +107,20 @@ public NamedParameterSpec getParams() {
     public Optional getBytes() {
         return Optional.of(getKey());
     }
+
+    /**
+     * Restores the state of this object from the stream.
+     * 

+     * Deserialization of this object is not supported.
+     *
+     * @param  stream the {@code ObjectInputStream} from which data is read
+     * @throws IOException if an I/O error occurs
+     * @throws ClassNotFoundException if a serialized class cannot be loaded
+     */
+    @java.io.Serial
+    private void readObject(ObjectInputStream stream)
+            throws IOException, ClassNotFoundException {
+        throw new InvalidObjectException(
+                "EdDSAPrivateKeyImpl keys are not directly deserializable");
+    }
 }
diff --git a/src/jdk.crypto.ec/share/classes/sun/security/ec/ed/EdDSAPublicKeyImpl.java b/src/jdk.crypto.ec/share/classes/sun/security/ec/ed/EdDSAPublicKeyImpl.java
index ebc51e9a821..8a6407fb146 100644
--- a/src/jdk.crypto.ec/share/classes/sun/security/ec/ed/EdDSAPublicKeyImpl.java
+++ b/src/jdk.crypto.ec/share/classes/sun/security/ec/ed/EdDSAPublicKeyImpl.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2020, 2023, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,6 +25,9 @@
 
 package sun.security.ec.ed;
 
+import java.io.IOException;
+import java.io.InvalidObjectException;
+import java.io.ObjectInputStream;
 import java.math.BigInteger;
 import java.security.InvalidKeyException;
 import java.security.KeyRep;
@@ -39,6 +42,7 @@
 
 public final class EdDSAPublicKeyImpl extends X509Key implements EdECPublicKey {
 
+    @java.io.Serial
     private static final long serialVersionUID = 1L;
 
     private final EdECPoint point;
@@ -106,7 +110,8 @@ public String getAlgorithm() {
         return "EdDSA";
     }
 
-    protected Object writeReplace() throws java.io.ObjectStreamException {
+    @java.io.Serial
+    private Object writeReplace() throws java.io.ObjectStreamException {
         return new KeyRep(KeyRep.Type.PUBLIC, getAlgorithm(), getFormat(),
                 getEncoded());
     }
@@ -127,4 +132,20 @@ private static void reverse(byte [] arr) {
             j--;
         }
     }
+
+    /**
+     * Restores the state of this object from the stream.
+     * 

+     * Deserialization of this object is not supported.
+     *
+     * @param  stream the {@code ObjectInputStream} from which data is read
+     * @throws IOException if an I/O error occurs
+     * @throws ClassNotFoundException if a serialized class cannot be loaded
+     */
+    @java.io.Serial
+    private void readObject(ObjectInputStream stream)
+            throws IOException, ClassNotFoundException {
+        throw new InvalidObjectException(
+                "EdDSAPublicKeyImpl keys are not directly deserializable");
+    }
 }
diff --git a/src/jdk.crypto.mscapi/windows/classes/sun/security/mscapi/CPrivateKey.java b/src/jdk.crypto.mscapi/windows/classes/sun/security/mscapi/CPrivateKey.java
index a65ea445890..91a7775b8bd 100644
--- a/src/jdk.crypto.mscapi/windows/classes/sun/security/mscapi/CPrivateKey.java
+++ b/src/jdk.crypto.mscapi/windows/classes/sun/security/mscapi/CPrivateKey.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005, 2019, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2023, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,6 +25,9 @@
 
 package sun.security.mscapi;
 
+import java.io.IOException;
+import java.io.InvalidObjectException;
+import java.io.ObjectInputStream;
 import java.security.PrivateKey;
 
 /**
@@ -35,6 +38,7 @@
  */
 class CPrivateKey extends CKey implements PrivateKey {
 
+    @java.io.Serial
     private static final long serialVersionUID = 8113152807912338063L;
 
     private CPrivateKey(String alg, NativeHandles handles, int keyLength) {
@@ -72,8 +76,26 @@ public String toString() {
     }
 
     // This class is not serializable
+    @java.io.Serial
     private void writeObject(java.io.ObjectOutputStream out)
             throws java.io.IOException {
-        throw new java.io.NotSerializableException();
+        throw new java.io.InvalidObjectException(
+                "CPrivateKeys are not serializable");
+    }
+
+    /**
+     * Restores the state of this object from the stream.
+     * 

+     * Deserialization of this object is not supported.
+     *
+     * @param  stream the {@code ObjectInputStream} from which data is read
+     * @throws IOException if an I/O error occurs
+     * @throws ClassNotFoundException if a serialized class cannot be loaded
+     */
+    @java.io.Serial
+    private void readObject(ObjectInputStream stream)
+            throws IOException, ClassNotFoundException {
+        throw new InvalidObjectException(
+                "CPrivateKeys are not deserializable");
     }
 }
diff --git a/src/jdk.crypto.mscapi/windows/classes/sun/security/mscapi/CPublicKey.java b/src/jdk.crypto.mscapi/windows/classes/sun/security/mscapi/CPublicKey.java
index 35e25e90647..efbd74c5bb8 100644
--- a/src/jdk.crypto.mscapi/windows/classes/sun/security/mscapi/CPublicKey.java
+++ b/src/jdk.crypto.mscapi/windows/classes/sun/security/mscapi/CPublicKey.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005, 2019, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2023, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,6 +25,9 @@
 
 package sun.security.mscapi;
 
+import java.io.IOException;
+import java.io.InvalidObjectException;
+import java.io.ObjectInputStream;
 import java.math.BigInteger;
 import java.security.AlgorithmParameters;
 import java.security.KeyException;
@@ -50,6 +53,7 @@
  */
 public abstract class CPublicKey extends CKey implements PublicKey {
 
+    @java.io.Serial
     private static final long serialVersionUID = -2289561342425825391L;
 
     protected byte[] encoding = null;
@@ -57,6 +61,8 @@ public abstract class CPublicKey extends CKey implements PublicKey {
     public static class CECPublicKey extends CPublicKey implements ECPublicKey {
 
         private ECPoint w = null;
+
+        @java.io.Serial
         private static final long serialVersionUID = 12L;
 
         CECPublicKey(NativeHandles handles, int keyLength) {
@@ -108,7 +114,7 @@ public ECParameterSpec getParams() {
 
         public String toString() {
             StringBuffer sb = new StringBuffer();
-            sb.append(algorithm + "PublicKey [size=").append(keyLength)
+            sb.append(algorithm).append("PublicKey [size=").append(keyLength)
                     .append("]\n  ECPoint: ").append(getW())
                     .append("\n  params: ").append(getParams());
             return sb.toString();
@@ -119,6 +125,8 @@ public static class CRSAPublicKey extends CPublicKey implements RSAPublicKey {
 
         private BigInteger modulus = null;
         private BigInteger exponent = null;
+
+        @java.io.Serial
         private static final long serialVersionUID = 12L;
 
         CRSAPublicKey(NativeHandles handles, int keyLength) {
@@ -127,7 +135,7 @@ public static class CRSAPublicKey extends CPublicKey implements RSAPublicKey {
 
         public String toString() {
             StringBuffer sb = new StringBuffer();
-            sb.append(algorithm + "PublicKey [size=").append(keyLength)
+            sb.append(algorithm).append("PublicKey [size=").append(keyLength)
                     .append(" bits, type=");
             if (handles.hCryptKey != 0) {
                 sb.append(getKeyType(handles.hCryptKey))
@@ -214,6 +222,7 @@ public String getFormat() {
         return "X.509";
     }
 
+    @java.io.Serial
     protected Object writeReplace() throws java.io.ObjectStreamException {
         return new KeyRep(KeyRep.Type.PUBLIC,
                         getAlgorithm(),
@@ -221,6 +230,22 @@ protected Object writeReplace() throws java.io.ObjectStreamException {
                         getEncoded());
     }
 
+    /**
+     * Restores the state of this object from the stream.
+     * 

+     * Deserialization of this object is not supported.
+     *
+     * @param  stream the {@code ObjectInputStream} from which data is read
+     * @throws IOException if an I/O error occurs
+     * @throws ClassNotFoundException if a serialized class cannot be loaded
+     */
+    @java.io.Serial
+    private void readObject(ObjectInputStream stream)
+            throws IOException, ClassNotFoundException {
+        throw new InvalidObjectException(
+                "CPublicKeys are not deserializable");
+    }
+
     // Returns the CAPI or CNG representation of the key.
     native byte[] getPublicKeyBlob(long hCryptProv, long hCryptKey)
             throws KeyException;
diff --git a/src/jdk.security.auth/share/classes/com/sun/security/auth/LdapPrincipal.java b/src/jdk.security.auth/share/classes/com/sun/security/auth/LdapPrincipal.java
index 6af39422d5f..9ab71de3cfd 100644
--- a/src/jdk.security.auth/share/classes/com/sun/security/auth/LdapPrincipal.java
+++ b/src/jdk.security.auth/share/classes/com/sun/security/auth/LdapPrincipal.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2006, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2006, 2023, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,6 +25,9 @@
 
 package com.sun.security.auth;
 
+import java.io.IOException;
+import java.io.InvalidObjectException;
+import java.io.ObjectInputStream;
 import java.security.Principal;
 import javax.naming.InvalidNameException;
 import javax.naming.ldap.LdapName;
@@ -47,6 +50,7 @@
  */
 public final class LdapPrincipal implements Principal, java.io.Serializable {
 
+    @java.io.Serial
     private static final long serialVersionUID = 6820120005580754861L;
 
     /**
@@ -135,4 +139,31 @@ public String toString() {
     private LdapName getLdapName(String name) throws InvalidNameException {
         return new LdapName(name);
     }
+
+    /**
+     * Restores the state of this object from the stream.
+     *
+     * @param  stream the {@code ObjectInputStream} from which data is read
+     * @throws IOException if an I/O error occurs
+     * @throws ClassNotFoundException if a serialized class cannot be loaded
+     */
+    @java.io.Serial
+    private void readObject(ObjectInputStream stream)
+            throws IOException, ClassNotFoundException {
+        stream.defaultReadObject();
+        if ((name == null) || (nameString == null)) {
+            throw new InvalidObjectException(
+                    "null name/nameString is illegal");
+        }
+        try {
+            if (!name.equals(getLdapName(nameString))) {
+                throw new InvalidObjectException("Inconsistent names");
+            }
+        } catch  (InvalidNameException e) {
+            InvalidObjectException nse = new InvalidObjectException(
+                    "Invalid Name");
+            nse.initCause(e);
+            throw nse;
+        }
+    }
 }
diff --git a/src/jdk.security.auth/share/classes/com/sun/security/auth/NTDomainPrincipal.java b/src/jdk.security.auth/share/classes/com/sun/security/auth/NTDomainPrincipal.java
index ed9c2eff568..771df0f6097 100644
--- a/src/jdk.security.auth/share/classes/com/sun/security/auth/NTDomainPrincipal.java
+++ b/src/jdk.security.auth/share/classes/com/sun/security/auth/NTDomainPrincipal.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2023, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,6 +25,9 @@
 
 package com.sun.security.auth;
 
+import java.io.IOException;
+import java.io.InvalidObjectException;
+import java.io.ObjectInputStream;
 import java.security.Principal;
 
 /**
@@ -47,6 +50,7 @@
  */
 public class NTDomainPrincipal implements Principal, java.io.Serializable {
 
+    @java.io.Serial
     private static final long serialVersionUID = -4408637351440771220L;
 
     /**
@@ -120,9 +124,7 @@ public boolean equals(Object o) {
             return false;
         NTDomainPrincipal that = (NTDomainPrincipal)o;
 
-            if (name.equals(that.getName()))
-                return true;
-            return false;
+        return name.equals(that.getName());
     }
 
     /**
@@ -133,4 +135,24 @@ public boolean equals(Object o) {
     public int hashCode() {
         return this.getName().hashCode();
     }
+
+    /**
+     * Restores the state of this object from the stream.
+     *
+     * @param  stream the {@code ObjectInputStream} from which data is read
+     * @throws IOException if an I/O error occurs
+     * @throws ClassNotFoundException if a serialized class cannot be loaded
+     */
+    @java.io.Serial
+    private void readObject(ObjectInputStream stream)
+            throws IOException, ClassNotFoundException {
+        stream.defaultReadObject();
+        if (name == null) {
+            java.text.MessageFormat form = new java.text.MessageFormat
+                    (sun.security.util.ResourcesMgr.getAuthResourceString
+                            ("invalid.null.input.value"));
+            Object[] source = {"name"};
+            throw new InvalidObjectException(form.format(source));
+        }
+    }
 }
diff --git a/src/jdk.security.auth/share/classes/com/sun/security/auth/NTSid.java b/src/jdk.security.auth/share/classes/com/sun/security/auth/NTSid.java
index b5e2dc7d6d6..1bf37f6461d 100644
--- a/src/jdk.security.auth/share/classes/com/sun/security/auth/NTSid.java
+++ b/src/jdk.security.auth/share/classes/com/sun/security/auth/NTSid.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2023, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,6 +25,9 @@
 
 package com.sun.security.auth;
 
+import java.io.IOException;
+import java.io.InvalidObjectException;
+import java.io.ObjectInputStream;
 import java.security.Principal;
 
 /**
@@ -49,6 +52,7 @@
  */
 public class NTSid implements Principal, java.io.Serializable {
 
+    @java.io.Serial
     private static final long serialVersionUID = 4412290580770249885L;
 
     /**
@@ -80,7 +84,7 @@ public NTSid (String stringSid) {
                 (sun.security.util.ResourcesMgr.getAuthResourceString
                         ("Invalid.NTSid.value"));
         }
-        sid = new String(stringSid);
+        sid = stringSid;
     }
 
     /**
@@ -128,10 +132,7 @@ public boolean equals(Object o) {
             return false;
         NTSid that = (NTSid)o;
 
-        if (sid.equals(that.sid)) {
-            return true;
-        }
-        return false;
+        return sid.equals(that.sid);
     }
 
     /**
@@ -142,4 +143,29 @@ public boolean equals(Object o) {
     public int hashCode() {
         return sid.hashCode();
     }
+
+    /**
+     * Restores the state of this object from the stream.
+     *
+     * @param  stream the {@code ObjectInputStream} from which data is read
+     * @throws IOException if an I/O error occurs
+     * @throws ClassNotFoundException if a serialized class cannot be loaded
+     */
+    @java.io.Serial
+    private void readObject(ObjectInputStream stream)
+            throws IOException, ClassNotFoundException {
+        stream.defaultReadObject();
+        if (sid == null) {
+            java.text.MessageFormat form = new java.text.MessageFormat
+                    (sun.security.util.ResourcesMgr.getAuthResourceString
+                            ("invalid.null.input.value"));
+            Object[] source = {"stringSid"};
+            throw new InvalidObjectException(form.format(source));
+        }
+        if (sid.length() == 0) {
+            throw new InvalidObjectException
+                    (sun.security.util.ResourcesMgr.getAuthResourceString
+                            ("Invalid.NTSid.value"));
+        }
+    }
 }
diff --git a/src/jdk.security.auth/share/classes/com/sun/security/auth/NTUserPrincipal.java b/src/jdk.security.auth/share/classes/com/sun/security/auth/NTUserPrincipal.java
index a7c2ce97cd0..d4b9dcef3a9 100644
--- a/src/jdk.security.auth/share/classes/com/sun/security/auth/NTUserPrincipal.java
+++ b/src/jdk.security.auth/share/classes/com/sun/security/auth/NTUserPrincipal.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2023, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,6 +25,9 @@
 
 package com.sun.security.auth;
 
+import java.io.IOException;
+import java.io.InvalidObjectException;
+import java.io.ObjectInputStream;
 import java.security.Principal;
 
 /**
@@ -43,6 +46,7 @@
  */
 public class NTUserPrincipal implements Principal, java.io.Serializable {
 
+    @java.io.Serial
     private static final long serialVersionUID = -8737649811939033735L;
 
     /**
@@ -114,9 +118,7 @@ public boolean equals(Object o) {
             return false;
         NTUserPrincipal that = (NTUserPrincipal)o;
 
-            if (name.equals(that.getName()))
-                return true;
-            return false;
+        return name.equals(that.getName());
     }
 
     /**
@@ -127,4 +129,25 @@ public boolean equals(Object o) {
     public int hashCode() {
             return this.getName().hashCode();
     }
+
+
+    /**
+     * Restores the state of this object from the stream.
+     *
+     * @param  stream the {@code ObjectInputStream} from which data is read
+     * @throws IOException if an I/O error occurs
+     * @throws ClassNotFoundException if a serialized class cannot be loaded
+     */
+    @java.io.Serial
+    private void readObject(ObjectInputStream stream)
+            throws IOException, ClassNotFoundException {
+        stream.defaultReadObject();
+        if (name == null) {
+            java.text.MessageFormat form = new java.text.MessageFormat
+                    (sun.security.util.ResourcesMgr.getAuthResourceString
+                            ("invalid.null.input.value"));
+            Object[] source = {"name"};
+            throw new InvalidObjectException(form.format(source));
+        }
+    }
 }
diff --git a/src/jdk.security.auth/share/classes/com/sun/security/auth/UnixNumericGroupPrincipal.java b/src/jdk.security.auth/share/classes/com/sun/security/auth/UnixNumericGroupPrincipal.java
index 2780f56ff3b..e8c12e2918d 100644
--- a/src/jdk.security.auth/share/classes/com/sun/security/auth/UnixNumericGroupPrincipal.java
+++ b/src/jdk.security.auth/share/classes/com/sun/security/auth/UnixNumericGroupPrincipal.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2023, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,6 +25,9 @@
 
 package com.sun.security.auth;
 
+import java.io.IOException;
+import java.io.InvalidObjectException;
+import java.io.ObjectInputStream;
 import java.security.Principal;
 import java.util.Objects;
 
@@ -46,6 +49,7 @@ public class UnixNumericGroupPrincipal implements
                                         Principal,
                                         java.io.Serializable {
 
+    @java.io.Serial
     private static final long serialVersionUID = 3941535899328403223L;
 
     /**
@@ -184,10 +188,8 @@ public boolean equals(Object o) {
             return false;
         UnixNumericGroupPrincipal that = (UnixNumericGroupPrincipal)o;
 
-        if (this.getName().equals(that.getName()) &&
-            this.isPrimaryGroup() == that.isPrimaryGroup())
-            return true;
-        return false;
+        return this.getName().equals(that.getName()) &&
+                this.isPrimaryGroup() == that.isPrimaryGroup();
     }
 
     /**
@@ -198,4 +200,24 @@ public boolean equals(Object o) {
     public int hashCode() {
         return Objects.hash(name, isPrimaryGroup());
     }
+
+    /**
+     * Restores the state of this object from the stream.
+     *
+     * @param  stream the {@code ObjectInputStream} from which data is read
+     * @throws IOException if an I/O error occurs
+     * @throws ClassNotFoundException if a serialized class cannot be loaded
+     */
+    @java.io.Serial
+    private void readObject(ObjectInputStream stream)
+            throws IOException, ClassNotFoundException {
+        stream.defaultReadObject();
+        if (name == null) {
+            java.text.MessageFormat form = new java.text.MessageFormat
+                    (sun.security.util.ResourcesMgr.getAuthResourceString
+                            ("invalid.null.input.value"));
+            Object[] source = {"name"};
+            throw new InvalidObjectException(form.format(source));
+        }
+    }
 }
diff --git a/src/jdk.security.auth/share/classes/com/sun/security/auth/UnixNumericUserPrincipal.java b/src/jdk.security.auth/share/classes/com/sun/security/auth/UnixNumericUserPrincipal.java
index 30a1e9ca81d..2a48332eedd 100644
--- a/src/jdk.security.auth/share/classes/com/sun/security/auth/UnixNumericUserPrincipal.java
+++ b/src/jdk.security.auth/share/classes/com/sun/security/auth/UnixNumericUserPrincipal.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2023, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,6 +25,9 @@
 
 package com.sun.security.auth;
 
+import java.io.IOException;
+import java.io.InvalidObjectException;
+import java.io.ObjectInputStream;
 import java.security.Principal;
 
 /**
@@ -44,6 +47,7 @@
 public class UnixNumericUserPrincipal implements
                                         Principal,
                                         java.io.Serializable {
+    @java.io.Serial
     private static final long serialVersionUID = -4329764253802397821L;
 
     /**
@@ -146,9 +150,7 @@ public boolean equals(Object o) {
             return false;
         UnixNumericUserPrincipal that = (UnixNumericUserPrincipal)o;
 
-        if (this.getName().equals(that.getName()))
-            return true;
-        return false;
+        return this.getName().equals(that.getName());
     }
 
     /**
@@ -159,4 +161,24 @@ public boolean equals(Object o) {
     public int hashCode() {
         return name.hashCode();
     }
+
+    /**
+     * Restores the state of this object from the stream.
+     *
+     * @param  stream the {@code ObjectInputStream} from which data is read
+     * @throws IOException if an I/O error occurs
+     * @throws ClassNotFoundException if a serialized class cannot be loaded
+     */
+    @java.io.Serial
+    private void readObject(ObjectInputStream stream)
+            throws IOException, ClassNotFoundException {
+        stream.defaultReadObject();
+        if (name == null) {
+            java.text.MessageFormat form = new java.text.MessageFormat
+                    (sun.security.util.ResourcesMgr.getAuthResourceString
+                            ("invalid.null.input.value"));
+            Object[] source = {"name"};
+            throw new InvalidObjectException(form.format(source));
+        }
+    }
 }
diff --git a/src/jdk.security.auth/share/classes/com/sun/security/auth/UnixPrincipal.java b/src/jdk.security.auth/share/classes/com/sun/security/auth/UnixPrincipal.java
index fde93a62a53..b8a80f75aad 100644
--- a/src/jdk.security.auth/share/classes/com/sun/security/auth/UnixPrincipal.java
+++ b/src/jdk.security.auth/share/classes/com/sun/security/auth/UnixPrincipal.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2023, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,6 +25,9 @@
 
 package com.sun.security.auth;
 
+import java.io.IOException;
+import java.io.InvalidObjectException;
+import java.io.ObjectInputStream;
 import java.security.Principal;
 
 /**
@@ -43,6 +46,7 @@
  */
 public class UnixPrincipal implements Principal, java.io.Serializable {
 
+    @java.io.Serial
     private static final long serialVersionUID = -2951667807323493631L;
 
     /**
@@ -115,9 +119,7 @@ public boolean equals(Object o) {
             return false;
         UnixPrincipal that = (UnixPrincipal)o;
 
-        if (this.getName().equals(that.getName()))
-            return true;
-        return false;
+        return this.getName().equals(that.getName());
     }
 
     /**
@@ -128,4 +130,24 @@ public boolean equals(Object o) {
     public int hashCode() {
         return name.hashCode();
     }
+
+    /**
+     * Restores the state of this object from the stream.
+     *
+     * @param  stream the {@code ObjectInputStream} from which data is read
+     * @throws IOException if an I/O error occurs
+     * @throws ClassNotFoundException if a serialized class cannot be loaded
+     */
+    @java.io.Serial
+    private void readObject(ObjectInputStream stream)
+            throws IOException, ClassNotFoundException {
+        stream.defaultReadObject();
+        if (name == null) {
+            java.text.MessageFormat form = new java.text.MessageFormat
+                    (sun.security.util.ResourcesMgr.getAuthResourceString
+                            ("invalid.null.input.value"));
+            Object[] source = {"name"};
+            throw new InvalidObjectException(form.format(source));
+        }
+    }
 }
diff --git a/src/jdk.security.auth/share/classes/com/sun/security/auth/UserPrincipal.java b/src/jdk.security.auth/share/classes/com/sun/security/auth/UserPrincipal.java
index 04b133e4004..03f382d82f7 100644
--- a/src/jdk.security.auth/share/classes/com/sun/security/auth/UserPrincipal.java
+++ b/src/jdk.security.auth/share/classes/com/sun/security/auth/UserPrincipal.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2023, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,6 +25,9 @@
 
 package com.sun.security.auth;
 
+import java.io.IOException;
+import java.io.InvalidObjectException;
+import java.io.ObjectInputStream;
 import java.security.Principal;
 
 /**
@@ -44,6 +47,7 @@
  */
 public final class UserPrincipal implements Principal, java.io.Serializable {
 
+    @java.io.Serial
     private static final long serialVersionUID = 892106070870210969L;
 
     /**
@@ -109,4 +113,20 @@ public String getName() {
     public String toString() {
         return name;
     }
+
+    /**
+     * Restores the state of this object from the stream.
+     *
+     * @param  stream the {@code ObjectInputStream} from which data is read
+     * @throws IOException if an I/O error occurs
+     * @throws ClassNotFoundException if a serialized class cannot be loaded
+     */
+    @java.io.Serial
+    private void readObject(ObjectInputStream stream)
+            throws IOException, ClassNotFoundException {
+        stream.defaultReadObject();
+        if (name == null) {
+            throw new InvalidObjectException("null name is illegal");
+        }
+    }
 }
diff --git a/test/jdk/java/security/KeyRep/RSA.pre.1.5.key b/test/jdk/java/security/KeyRep/RSA.pre.1.5.key
deleted file mode 100644
index 0c15a06c9cd1422eeb75657122a85db1111a1485..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 1803
zcmZ4UmVvdnh(REy#I0-cTtjYPQX=x=4Vi1#a6H7Amoifus^GZ_FQ;UGs
zGo}x?&x^Zy-moU9WY8S*=Lr)lZoBf_KY1%pc
z^DSY`F;m?Ocug7l4qg1^75AoV`PY8`@CULxJy$8%|Ls^akx7x^tJHI$TV2WAFBM|u
zS}d27tgt$HOtH}0Ejilwl8LwHbfA*u^Ed4JJ@-Nm%X_cCDgS=ld6Blw_nZJvlb-*w
z$0dwQGl5F_zuB4W-?(e8wSV@uh?(m9H-FAv_~S!=Fnd`eN6nA<^-Kz00a34Ry;zu7
zl(Zl>=ZGl7O|t=QFY^sw#b)ln-SJ?~Tg{WX*K6_=H;
zzhn5@>Bjd~Zmj?&GZAp|1|=0eL{jPbGhcqC^>0~b1~yLyj-<>I=ls&V5>EzBAk!x`
zFTEtglR-Ewv#7YlFF&s;wJ6`IvLw~7G}n`XCnvu=wYVfWwZthCsDZ6GGd-^~H=2Pn
zH!(dgv!pZyoRT5u?t5(!@-R
zB?^SnDN%+HN~S~^LMS^BWeB0{07~nMD1{fSNQD)EQBC2DNxBEy>IQme?hZMMa5~sAVHaKL<+LSRQ8(gH|Rodovh#P^&bo09h#rB7^~H
C((W$+

diff --git a/test/jdk/java/security/KeyRep/SerialOld.java b/test/jdk/java/security/KeyRep/SerialOld.java
index fe8eb32d045..0729883cd2f 100644
--- a/test/jdk/java/security/KeyRep/SerialOld.java
+++ b/test/jdk/java/security/KeyRep/SerialOld.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2005, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2022, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -23,14 +23,13 @@
 
 /*
  * @test 1.1, 03/08/13
- * @bug 4532506
+ * @bug 4532506 8301126
  * @summary Serializing KeyPair on one VM (Sun),
  *      and Deserializing on another (IBM) fails
  * @run main/othervm/java.security.policy=SerialOld.policy SerialOld
  */
 
 import java.io.*;
-import java.security.*;
 
 public class SerialOld {
     public static void main(String[] args) throws Exception {
@@ -40,10 +39,15 @@ public static void main(String[] args) throws Exception {
         deserializeTigerKey("DSA");
         deserializeTigerKey("RSA");
 
-        // verify pre-tiger keys still deserialize in our VM
+        // verify pre-tiger keys still deserialize in our VM.
+
+        // There used to be a RSA test here, but the serialized file contained
+        // classes introduced in JDK 5.0 (sun.security.rsa.RSA*).  The older
+        // RSA keys from JDK 1.4.2 were of class JSA_* which were removed when
+        // sun.security.rsa was introduced.  (See JDK-8301126 for more
+        // details.)  The test/data has been removed.
 
         deserializeKey("DSA");
-        deserializeKey("RSA");
         deserializeKey("DH");
         deserializeKey("AES");
         deserializeKey("Blowfish");

From 72662472277fa15e9b82fa5d68c43a5fe5bc3c86 Mon Sep 17 00:00:00 2001
From: Yuri Nesterenko 
Date: Thu, 28 Sep 2023 12:00:14 +0300
Subject: [PATCH 12/15] 8317040: Exclude cleaner test failing on older releases

Reviewed-by: mbalao, andrew, clanger
---
 test/jdk/ProblemList.txt | 1 +
 1 file changed, 1 insertion(+)

diff --git a/test/jdk/ProblemList.txt b/test/jdk/ProblemList.txt
index 33af3a2bcff..fb6d61ff142 100644
--- a/test/jdk/ProblemList.txt
+++ b/test/jdk/ProblemList.txt
@@ -655,6 +655,7 @@ com/sun/security/sasl/gsskerb/ConfSecurityLayer.java            8039280 generic-
 com/sun/security/sasl/gsskerb/NoSecurityLayer.java              8039280 generic-all
 javax/security/auth/kerberos/KerberosHashEqualsTest.java        8039280 generic-all
 javax/security/auth/kerberos/KerberosTixDateTest.java           8039280 generic-all
+javax/security/auth/callback/PasswordCallback/CheckCleanerBound.java 8285785,8286045,8287596 generic-all
 sun/security/provider/PolicyFile/GrantAllPermToExtWhenNoPolicy.java 8039280 generic-all
 sun/security/provider/PolicyParser/ExtDirsChange.java           8039280 generic-all
 sun/security/provider/PolicyParser/PrincipalExpansionError.java 8039280 generic-all

From d9749edfc6532a106a1d9ee8ae454ef128bceff1 Mon Sep 17 00:00:00 2001
From: Goetz Lindenmaier 
Date: Sun, 8 Oct 2023 15:17:24 +0000
Subject: [PATCH 13/15] 8317121: vector_masked_load instruction is moved too
 early after JDK-8286941

Backport-of: cfabcbf85837e97bdd6c9e4e06e875ecbaa70084
---
 .../vectorization/TestMaskedVectors.java      | 118 ++++++++++++++++++
 1 file changed, 118 insertions(+)
 create mode 100644 test/hotspot/jtreg/compiler/vectorization/TestMaskedVectors.java

diff --git a/test/hotspot/jtreg/compiler/vectorization/TestMaskedVectors.java b/test/hotspot/jtreg/compiler/vectorization/TestMaskedVectors.java
new file mode 100644
index 00000000000..c106a9bc69c
--- /dev/null
+++ b/test/hotspot/jtreg/compiler/vectorization/TestMaskedVectors.java
@@ -0,0 +1,118 @@
+/*
+ * Copyright (c) 2023, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 8317121
+ * @summary Test masked vectors and unsafe access to memory modified by arraycopy
+ * @requires vm.compiler2.enabled
+ * @modules java.base/jdk.internal.misc
+ * @library /test/lib /
+ * @run main/othervm -XX:+IgnoreUnrecognizedVMOptions -XX:+UnlockDiagnosticVMOptions -XX:-TieredCompilation -Xbatch -XX:CompileCommand=quiet -XX:CompileCommand=compileonly,TestMaskedVectors::test* -XX:+StressLCM -XX:+StressGCM -XX:StressSeed=2210259638 TestMaskedVectors
+ * @run main/othervm -XX:+IgnoreUnrecognizedVMOptions -XX:+UnlockDiagnosticVMOptions -XX:-TieredCompilation -Xbatch -XX:CompileCommand=quiet -XX:CompileCommand=compileonly,TestMaskedVectors::test* -XX:+StressLCM -XX:+StressGCM TestMaskedVectors
+ */
+
+import java.lang.reflect.*;
+import java.util.*;
+
+import jdk.internal.misc.Unsafe;
+
+public class TestMaskedVectors {
+
+    private static Unsafe UNSAFE = Unsafe.getUnsafe();
+    private static final long BASE_OFFSET = UNSAFE.arrayBaseOffset(byte[].class);
+
+    static void testLoadVectorMasked(byte[] src, byte[] dst, int len) {
+        byte[] tmp = new byte[64];
+
+        // (3) The LoadVectorMasked is found to be dependent on below arraycopy and
+        // therefore scheduled just below it. As a result, the LoadVectorMasked misses the
+        // updated elements at index 16..48 and dst will contain incorrect values.
+        System.arraycopy(src, 0, tmp, 0, 16);
+
+        // (2) The LoadVectorMasked is incorrectly found to be independent of this arraycopy
+        // because the LoadVectorMasked has offset 0 whereas the arraycopy writes offset >= 16.
+        // The problem is that MemNode::find_previous_store() -> LoadNode::find_previous_arraycopy()
+        // -> ArrayCopyNode::modifies does not account for the size of the load.
+        System.arraycopy(src, 0, tmp, 16, 48);
+
+        // (1) The following arraycopy is expanded into a LoadVectorMasked and a
+        // StoreVectorMasked in PhaseMacroExpand::generate_partial_inlining_block().
+        System.arraycopy(tmp, 0, dst, 0, len);
+    }
+
+    static long testUnsafeGetLong(byte[] src) {
+        byte[] tmp = new byte[16];
+
+        // (3) The unsafe load is found to be dependent on below arraycopy and
+        // therefore scheduled just below it. As a result, the unsafe load misses the
+        // updated elements at index 1..16 and therefore returns an incorrect result.
+        System.arraycopy(src, 0, tmp, 0, 16);
+
+        // (2) The unsafe load is incorrectly found to be independent of this arraycopy
+        // because the load has offset 0 in 'tmp' whereas the arraycopy writes offsets >= 1.
+        // The problem is that MemNode::find_previous_store() -> LoadNode::find_previous_arraycopy()
+        // -> ArrayCopyNode::modifies does not account for the size of the load.
+        System.arraycopy(src, 0, tmp, 1, 15);
+
+        // (1) Below unsafe load reads the first 8 (byte) array elements.
+        return UNSAFE.getLong(tmp, BASE_OFFSET);
+    }
+
+    public static void main(String[] args) {
+        // Initialize src array with increasing byte values
+        byte[] src = new byte[64];
+        for (byte i = 0; i < src.length; ++i) {
+            src[i] = (byte)i;
+        }
+
+        // Compute expected outputs once
+        byte[] golden1 = new byte[64];
+        testLoadVectorMasked(src, golden1, 64);
+
+        long golden2 = testUnsafeGetLong(src);
+
+        // Trigger compilation of test methods and verify the results
+        for (int i = 0; i < 50_000; ++i) {
+            int len = i % 32;
+            byte[] dst = new byte[len];
+            testLoadVectorMasked(src, dst, len);
+
+            boolean error = false;
+            for (int j = 0; j < dst.length; ++j) {
+                if (dst[j] != golden1[j]) {
+                    System.out.println("Incorrect value of element " + j + ": Expected " + golden1[j] + " but got " + dst[j]);
+                    error = true;
+                }
+            }
+            if (error) {
+                throw new RuntimeException("Test LoadVectorMasked failed");
+            }
+
+            long res = testUnsafeGetLong(src);
+            if (res != golden2) {
+                throw new RuntimeException("Incorrect result in test UnsafeGetLong: Expected " + golden2 + " but got " + res);
+            }
+        }
+    }
+}

From 2513f070eca7c2d8a8ef853889e723227e085ce6 Mon Sep 17 00:00:00 2001
From: Christoph Langer 
Date: Fri, 6 Oct 2023 07:31:00 +0200
Subject: [PATCH 14/15] 8317643: [17u] Remove designator
 DEFAULT_PROMOTED_VERSION_PRE=ea for release 17.0.9

Reviewed-by: goetz
---
 make/conf/version-numbers.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/make/conf/version-numbers.conf b/make/conf/version-numbers.conf
index c188a694618..2b37ac661cb 100644
--- a/make/conf/version-numbers.conf
+++ b/make/conf/version-numbers.conf
@@ -39,4 +39,4 @@ DEFAULT_VERSION_CLASSFILE_MINOR=0
 DEFAULT_VERSION_DOCS_API_SINCE=11
 DEFAULT_ACCEPTABLE_BOOT_VERSIONS="16 17"
 DEFAULT_JDK_SOURCE_TARGET_VERSION=17
-DEFAULT_PROMOTED_VERSION_PRE=ea
+DEFAULT_PROMOTED_VERSION_PRE=

From d8c51e68e2e183879311dc1a481a8110f72cce28 Mon Sep 17 00:00:00 2001
From: Jason Feng 
Date: Tue, 17 Oct 2023 17:58:22 -0400
Subject: [PATCH 15/15] Update OPENJDK_TAG to merged level jdk-17.0.9+9

Signed-off-by: Jason Feng 
---
 closed/openjdk-tag.gmk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/closed/openjdk-tag.gmk b/closed/openjdk-tag.gmk
index 83a1691a802..e087b426d0c 100644
--- a/closed/openjdk-tag.gmk
+++ b/closed/openjdk-tag.gmk
@@ -1 +1 @@
-OPENJDK_TAG := jdk-17.0.9+7
+OPENJDK_TAG := jdk-17.0.9+9